========================================================================= Date: Mon, 22 Aug 88 07:35:47 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Ken van Wyk Subject: Re: Hiding a virus between disk sectors In-Reply-To: Your message of Fri, 19 Aug 88 19:38:00 EST > What would the theory be > behind putting a virus in between sectors? If there's physical space there, then I'm sure that it can be done. You have to remember a couple things though. First, the virus would need some "bootstrap" code that would have to reside in a program(s) which is accessible to DOS, or else the space in between sectors would be ignored. Also, the virus would become very hardware specific. Certainly floppy disks and hard disks (yet alone different models of hard disk controllers, etc.) have different physical characteristics in this regard. Imho, the bottom line is that writing such a virus would not be feasible, or at least cost (of time) efficient. Ken Kenneth R. van Wyk Calvin: Dad, can I have a flame thrower? User Services Senior Consultant Dad: Of course not! Lehigh University Computing Center Calvin: Even if I don't use it in the Internet: house?!!! BITNET: ========================================================================= Date: Mon, 22 Aug 88 11:09:25 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Ken van Wyk Subject: Virus insurance Recently, on the RISKS forum (I believe), there's been some discussion about virus insurance. Specifically, about how corporations are seeking virus clauses in their computer security insurance policies. The posting said that at least one (insurance) underwriter has started specifically rejecting any virus coverage at all. The insurance companies seem to feel that they need to learn more about viruses before being able to insure against them. Apparently it could cause security policies to specify much higher deductibles, etc. I thought that it could be an interesting topic for discussion... Any thoughts? If *you* were representing an insurance company, would *you* want to recommend insuring against viruses? Of course, this would not be limited to PCs and/or mainframes. Ken Kenneth R. van Wyk Calvin: Dad, can I have a flame thrower? User Services Senior Consultant Dad: Of course not! Lehigh University Computing Center Calvin: Even if I don't use it in the Internet: house?!!! BITNET: ========================================================================= Date: Mon, 22 Aug 88 07:54:16 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: me! Jefferson Ogata Subject: distribution By the way, the distribution of this list has been really weird at my end lately; I've been getting postings WAY out of order, like days. My node seems to be served by some other site now; I don't know if that's the problem. Maybe it's just the size of the postings. Anyone else having major weirdness lately? - Jeff Ogata ========================================================================= Date: Mon, 22 Aug 88 13:54:53 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Ken van Wyk Subject: Re: distribution In-Reply-To: Your message of Mon, 22 Aug 88 07:54:16 EDT > By the way, the distribution of this list has been really weird at my end > ... > major weirdness lately? BITNET, being store-and-forward, gives smaller messages priority over larger ones. That could possibly explain the ordering problems. The list should still be served by LISTSERV@LEHIIBM1.BITNET unless you're on a local redistribution list. We are, however, slowly looking to pick up a peer LISTSERV or two sometime in the future. Ken Kenneth R. van Wyk Calvin: Dad, can I have a flame thrower? User Services Senior Consultant Dad: Of course not! Lehigh University Computing Center Calvin: Even if I don't use it in the Internet: house?!!! BITNET: ========================================================================= Date: Mon, 22 Aug 88 15:25:06 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Loren K Keim -- Lehigh University Subject: Viruses Between Sectors A few weeks back, Joe, Chris Bracy and I were all called out to California to test a new anti-viral package of a company which none of us have anything to do with (That company will remain nameless). They asked us to put their package through the ringer and see if we could figure out a way to get a virus through all their defenses. We found several. One of the ideas we kicked around, which had been conceived by some of Fred Cohen's students a few years ago, was hiding a large part of the viral code in between sectors. We wouldn't have to specify that sectors were bad, or change file sizes or anything that a program might catch. A program can't really check between sectors because its unsure of what would be there. The virus would still have to be a boot sector virus or hide in an executable or so on. We felt the best combination was to have the virus attack the boot sector. This would be a difficult virus to work with and a difficult one to write, but not impossible by any means. The real problem is that we are very limited in space, although we can point to each of the between-sector areas. Remember that viruses can hide anywhere. On old Apple II's, we've heard of viruses being able to be hidden in memory other than the main memory, little pieces hidden around the system. There is no easy way to check for code in these sectors other than mapping them and CRCing whatever junk might be written there, and checking it periodically, but this is unreliable. Its far easier to watch for the main program in the boot sector, executables, memory, BIOS and so on. Loren ========================================================================= Date: Mon, 22 Aug 88 16:10:00 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: NEWTON@NBSENH Subject: Mail Order Yes. I had a dry spell for a few days, then came in this (Monday) and had *82* mail messages waiting--mostly from virus-l. ========================================================================= Date: Mon, 22 Aug 88 03:38:00 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: me! Jefferson Ogata Subject: computer functionality b/w timed virus attacks The idea of a box that computes only one function certainly falls within the definition of a computer. Every computer I ever met satisfies that one. Any computer with finite memory is only capable of computing one function: executing its machine code with finite input and environment. Each program is merely a point in the domain of the function of the computer. After all, to a computer, programs are the real input. Data is just junk for the programs to munch on. When viewed from this perspective, the problem of computer infection becomes: how can a program alter the computer's actual input (programs)? In general, computer programs map some language expressed in the form of data into the domain of the computer's execution function. As such, most data can be viewed as a program running on a virtual machine being emulated by the program actually running on the computer. In the case of interpreters and compilers, the language of the data may be suffic- iently rich for data infection to propagate. But usually the data does not have sufficient semantics to alter other programs or data. Punching the keys on a calculator or microwave are types of data that fall into the latter class. Generalizing the idea a bit, we can see that any computer program is a simulator for some virtual machine. Almost every one of these virtual machines is a more limited machine than the actual computer it is being simulated by. (Possible exceptions: compilers, interpreters, assemblers.) So the idea of exploiting limited functionality for virus prevention is inherent in the use of computer programs. Virus infection from the data angle is never likely to be a problem because it is too difficult compared to good ol' code infection. How do you devise data that makes your accounting package crash your hard disk? And if you CAN, how can it propagate? The virtual machines provided by most computer programs are too limited to be infected. My theory is that virus attacks will almost invariably come from code- altering techniques. If so, calculators, microwaves, and security doors will always be safe because their actual data (code) is permanent and unwriteable. Also: Somebody put forth this scenario earlier: Timed virus crashes a system; Staff loads last dump; Dump crashes system too; Staff loads older dump, etc. until successful. By this time system has lost months of work. Not so; the appropriate response to such a virus attack is to perform the previous actions until a working system is found, then to reset the system clock to sometime in the past and reload your last dump. The recent work can then be salvaged (mostly, hopefully). Even if the virus is counting executions of itself for timing, tape archive formats usually allow selective retrieval of data; once a successful system is found, the latest data can be undumped and cleaned up. - Jeff Ogata ========================================================================= Date: Tue, 23 Aug 88 00:41:00 EST Reply-To: Virus Discussion List Sender: Virus Discussion List From: ZDABADE@VAX1.CC.LEHIGH.EDU Subject: Virus Immunizer Add Here's a card that I got in the mail that might prove interesting: PREVENT COMPUTER VIRUSES IMMUNIZE (TM) YOUR PC!!! If your computer can talk to the outside world (modems, floppy swaps, etc...), it can also be infected by a "computer virus" planted by an unscrupulous hacker. IMMUNIZE can prevent almost any type of virus from inhabiting your machine, regardless of the method used for infection. IMMUNIZE is available for $99.95, with this card only (regularly $149.95), and comes with an UNCONDITIONAL GUARANTEE! We will refund your money at any time in the next FIVE YEARS if you are unsatisfied, FOR ANY REASON WHATSOEVER. For further information, or to order IMMUNIZE, CALL TOLL FREE (800) 825-6600 Remote Technologies A Missouri Corporation 3612 Cleveland Avenue Saint Louis, Missouri 63110 --------------------------------------------------------------------- This is NOT a plug for this company, only a discussion. What do you all out there think about a company that promises so much??? David /-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\ | From: David A. Bader, Studentis Maximus | | | | DAB3@LEHIGH SloNet: 1402 Lorain Avenue | | ZDABADE@VAX1.CC.LEHIGH.EDU Bethlehem, Pa. 18018 | | HACK!DAB@SCARECROW.CSEE.LEHIGH.EDU | | | | SchoolNet: Box 914, -On a mostly harmless | | Lehigh University, blue green planet... | | Bethlehem, Pa. 18015 -And loving it! | \________________________________________________________________________/ ========================================================================= Date: Tue, 23 Aug 88 02:37:15 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Steve Subject: Openness; Viruses and Software Companies; Insurance I can understand trying to keep virus-writing technology under wraps, because if no one understands how to write a virus, there probably won't be any viruses. But it's too late. The concept is already out and its feasibility has been amply demonstrated. It's naive to think that I or anyone else couldn't write a virus without 'details' supplied from someone else (the 'details' are already there and freely available in the form of programmer's manuals). I personally don't feel I would need *any* help writing a virus if that's what I set my heart on doing (but I don't want to and I have better things to do). On the other hand I think that the fewer people there are who understand the guts of viruses, the fewer there will be who will write anti-virus programs. I may be wrong, but I think you need to know more to write an anti-virus program (like what viruses are out there and how they work) than you need to know to write a virus. As far as the origins of PC viruses are concerned, one has to ask if there is anyone out there who can reap financial gains from viruses. The answer is yes. Companies that sell software are competing with freeware. If they can make people afraid of freeware (because of risk of virus infection), then they can sell more software (including the antidote for particular viruses, including any they may have written and released themselves in trojan-horse freeware or apparently pirated versions of their own software). Would a software company resort to such tactics? What are the risks of such a company getting caught by someone tracing trojan-horse freeware back to it? About virus insurance... I tend to think of insurance companies as only slightly better than virus-writers. Because viruses are so new and because it's so hard to predict what the future holds in the way of new and innovative viruses I would expect the rates to be astronomical, with how astronomical depending on what the machine was being used for and what you expected the insurance company to protect you from (financial loss due to loss of records [*that* could get expensive!]? the cost of having your system cleaned and up and running again after a virus attack?). However, the rates would undoubtably improve significantly if the insurance company imposed on the insured the simple common-sense hygiene of the type that Ken recommended (rotating backups, etc.), which I think is by far the best insurance, and/or imposed virus detection/prevention measures. Steven C. Woronick | An extrapolation of its present rate of Physics Dept. | growth reveals that in the not too distant SUNY @ Stony Brook | future, Physical Review will fill bookshelves Stony Brook, NY 11794 | at a speed exceeding that of light. This | is not forbidden by relativity, since no 516-632-8133 | information is being conveyed. ========================================================================= Date: Tue, 23 Aug 88 08:01:38 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Ken van Wyk Subject: Re: Virus Immunizer Add In-Reply-To: Your message of Tue, 23 Aug 88 00:41:00 EST > comes with an UNCONDITIONAL GUARANTEE! We will refund your money at any time > in the next FIVE YEARS if you are unsatisfied, FOR ANY REASON WHATSOEVER. Pretty impressive claim, if they can stand behind it, and if they exist five years from now... > This is NOT a plug for this company, only a discussion. What > do you all out there think about a company that promises so much??? It's a good topic of discussion, but I would have preferred it if no specific company names were mentioned. I'd appreciate everyone's cooperation on keeping this, and other future discussions, non-commercial - please. This list originates on BITNET, and we must adhere to their non-commercial guidelines. Thanks. Anyway, I'm always a little bit wary of companies that promise the world, as it were. I'd be willing to bet that the fine print in the product's manual (if there is one) was a little bit more, er, specific than the add that you got in the mail. Perhaps not, but that would certainly be the exception, not the rule. Ken Kenneth R. van Wyk Calvin: Dad, can I have a flame thrower? User Services Senior Consultant Dad: Of course not! Lehigh University Computing Center Calvin: Even if I don't use it in the Internet: house?!!! BITNET: ========================================================================= Date: Tue, 23 Aug 88 08:10:43 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Ken van Wyk Subject: Re: Openness; Viruses and Software Companies; Insurance In-Reply-To: Your message of Tue, 23 Aug 88 02:37:15 EDT > As far as the origins of PC viruses are concerned, one has to ask if > there is anyone out there who can reap financial gains from viruses. Of course! Let's remember that a virus need not be overtly destructive; it may merely wish to alter data, or perhaps even extract data. A hypothetical scenario could be: company A wishes to give competitor company B a bad name, so they covertly release a virus which infects company B's product - not to destroy it per se, but to have it give intermittently incorrect results, thereby destroying its credibility. Ken ========================================================================= Date: Tue, 23 Aug 88 09:03:59 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Joe McMahon Subject: Re: distribution In-Reply-To: Message of Mon, 22 Aug 88 13:54:53 EDT from Anyone who has been running with the University of Chile as their closest backbone server may have noticed bizarre things lately. There were some problems; the newest node list changes the weights of the link to try to keep North American mail from going to South America first (and getting delayed). --- Joe M. ========================================================================= Date: Mon, 22 Aug 88 21:00:00 SST Reply-To: Virus Discussion List Sender: Virus Discussion List From: ANYONE@ISS.NUS.AC.SG Subject: REFERENCE TO PUBKEY MAILING LIST A RECENT VIRUS-L MSG MENTIONED A PUBLIC KEY CRYPTO MAILING LIST. I TRIED TO MSG THE NAME THAT WAS QUOTED AND GOT MY MSG BOUNCED. ANYBODY HAVE ANY FURTHER INFO ON PUBKEY??? /JC ON JIM@ISS.NUS.AC.SG ========================================================================= Date: Tue, 23 Aug 88 09:12:43 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Joe McMahon Subject: Re: Openness; Viruses and Software Companies; Insurance In-Reply-To: Message of Tue, 23 Aug 88 02:37:15 EDT from On openness: I agree that there are people who are intelligent enough to write viruses without help. However, it is pretty much certain that the nVIR Mac virus was created by someone who took the "sample virus" from CompuServe and turned it into a real nuisance. On viruses and software companies: We can even go better than Company A trying to discredit Company B; the Scores virus was apparently constructed specifically to damage and discredit a program or programs wriiten for some unnamed government installation by a disgruntled employee. --- Joe M. ========================================================================= Date: Tue, 23 Aug 88 10:06:25 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Ken van Wyk Subject: Administravia Several readers have pointed out to me recently that they've been receiving two (or more) copies of VIRUS-L mail. I've just confirmed that Lehigh's mailer is only sending out one copy of each mailing, so some gateway or other node along the way must be doing some selective duplication. Hopefully, the situation will be cleared up in the near future. I apologize for any inconvenience. Ken Kenneth R. van Wyk Calvin: Dad, can I have a flame thrower? User Services Senior Consultant Dad: Of course not! Lehigh University Computing Center Calvin: Even if I don't use it in the Internet: house?!!! BITNET: ========================================================================= Date: Tue, 23 Aug 88 10:11:30 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "William A. MacDonald" Subject: virus info I would like to recieve information on viruses. A student here at Akron is working on a report and I read some of the listings he recieved from this listserver. The topic was very interesting and so I would like to recieve all the listings that I can so that I may read them when I can. thank you. Bill MacDonald ========================================================================= Date: Tue, 23 Aug 88 13:36:51 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "David A. Bader" Subject: Releasing viruses > As far as the origins of PC viruses are concerned, one has to ask >if there is anyone out there who can reap financial gains from viruses. >The answer is yes. Companies that sell software are competing with >freeware. If they can make people afraid of freeware (because of risk >of virus infection), then they can sell more software (including the >antidote for particular viruses, including any they may have written >and released themselves in trojan-horse freeware or apparently pirated >versions of their own software). Would a software company resort to h > such tactics? What are the risks of such a company getting caught by >someone tracing trojan-horse freeware back to it? This is an interesting origin of viruses. I have heard of this type of virus/trojan horse in a specific case (which I won't mention because it might discredit the company associated with it more than necessary). Incidently, the bad code WAS traced back to the original company because their company name and phone number were located in the executable code... (How's that for doing something stupid??) Anyway, what do *you* think about the idea that software firms might be releasing damaging code in order to discredit other packages and increase their sales while wreaking havoc on *our* machines?!? Do *you* think that this mentality is incorporated into the scheme of selling more software??? David A. Bader DAB3@LEHIGH ========================================================================= Date: Tue, 23 Aug 88 13:39:40 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Loren K Keim -- Lehigh University Subject: Anti-Viral Package Claims The company who made the claim of money-back for 5 years isn't stupid by any means. Do you know the percentage of people who actually send for their money back is incredibly small. Its a selling gimic. Besides, a company can set itself up as an S corporation, sell a lot of product, declare bankrupcy and disappear and you can't go after any member of that company with a lawsuit. Also, I agree this is not a place to sell products, but I still think we should mention names of some products so we know what really has problems, like the flushot bugs that have marred it over the past few months. Loren ========================================================================= Date: Tue, 23 Aug 88 13:49:58 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "David A. Bader" Subject: Flushot bugs >Also, I agree this is not a place to sell products, but >I still think we should mention names of some products so >we know what really has problems, like the flushot bugs >that have marred it over the past few months. Speaking of Flushot bugs... Hasn't *ANYONE* out there tried FluShot Plus 1.4??? I am having one type of problem with it (bug?), but because no one else out there tries such software, I am not sure if it is a *major* bug that everyone is experiencing, or just my bug. The only problem that I have encountered since using it for almost a month is that when I read a floppy disk (and only about 80% of the time) I get a TSR screen from FSP+ telling me that CMOS is being changed. Question: Does anyone know if reading a floppy drive DOES in fact change CMOS memory in an AT??? David A. Bader DAB3@LEHIGH ========================================================================= Date: Tue, 23 Aug 88 13:53:30 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Ken van Wyk Subject: Re: Anti-Viral Package Claims In-Reply-To: Your message of Tue, 23 Aug 88 13:39:40 EDT > Besides, a company can set itself up as an S corporation, > sell a lot of product, declare bankrupcy and disappear and > you can't go after any member of that company with a lawsuit. Sad, but true. > Also, I agree this is not a place to sell products, but > I still think we should mention names of some products so > we know what really has problems, like the flushot bugs > that have marred it over the past few months. Product names in the context of objective reviews from people with no vested interest in the product is perfectly acceptable. Reprints of advertisements, however, must be discouraged. On another note, I believe that the mail duplication problem reported earlier is isolated to BITNET. If anyone reading this is getting multiple copies on Internet (or elsewhere), please take a look at your message header. Is it going through the ARPA gateway at CUNYVM? If so, then the message is travelling through BITNET for a short distance before hitting the ARPAnet/Internet and the problem would be isolated between here and CUNY. If someone on the ARPA/Internet who is getting duplicate messages could send me a copy of one of their mail headers, I'd appreciate it. If someone on ARPA/Internet could confirm to me that they're *not* getting multiple messages, I'd appreciate that too. Networks are great...when they work. Heavy sigh. Ken Kenneth R. van Wyk Calvin: Dad, can I have a flame thrower? User Services Senior Consultant Dad: Of course not! Lehigh University Computing Center Calvin: Even if I don't use it in the Internet: house?!!! BITNET: ========================================================================= Date: Tue, 23 Aug 88 13:55:47 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List Comments: In-Reply-To: Poster of 23 Aug 88 EST from ZDABADE at VAX1.CC.LEHIGH.EDU From: Otto Stolz +49 7531 88 2645 Subject: Virus Immunizer Add > GUARANTEE! We will refund your money at any time So, what do they promise at all: that they will give back what they've taken from you before -- and only if you take the pains to write to them. Let's suppose that the refunding will cost them 10 bucks (for banking charges, man power, perhaps a diskette lost). Then they will still prosper, if at most 90% of their customers want the money back. > if you are unsatisfied, FOR ANY REASON WHATSOEVER. And from the reasons you state, they will gain insight on how to improve their product. Otto ========================================================================= Date: Tue, 23 Aug 88 14:00:56 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Loren K Keim -- Lehigh University Subject: The Yale Virus - Revealed Okay, We've spent the last few hours going over the Yale virus (Actually, Chris Bracy is still playing with it right now!) and we've come up with some preliminary conclusions. It isn't the Brain virus. At least as far as it isn't the code that WE have that is called the Brain virus, and I believe we have the original form. I think its an act-a-like. Someone tried to recreate the virus without having the original to study from. Its a boot-sector virus which infects both system and data disks. It infects only on boot-up. If you cold boot an infected disk, it loads the virus; if you then warm boot the machine, it infects whatever is in the A: drive. If the disk in the A: drive is already infected, it does nothing. It traps Int 9 and Int 19. Int 9 is the keyboard interrupt and Int 19 is the reboot interrupt. When it infects the disk, it copies the original boot sector to sector eight (the ninth sector). It also traps (the key configuration that changes the number of lines on a screen). There is also a section of code which is an exact format of 1 track of a disk, EXCEPT the Int 13 isn't there, so this section of code never does anything. Also, there is a generation counter. I believe this is an early version of a virus that someone planned to release. I'm not sure if the final version was released, and I'm not sure this virus is limited to Yale. I don't believe it is limited to Yale. I believe that the final version of the virus, after a period of time, would trigger itself to reformat someone's disk tracks. As we finish going over the code, we'll be back to you with any new info. Loren Keim and Chris Bracy ========================================================================= Date: Tue, 23 Aug 88 14:10:56 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Loren K Keim -- Lehigh University Subject: Viruses in the Mail I'd like to thank everyone to date who has sent me copies of their particular viruses. Its interesting to go over them and try to figure out if they are advanced versions of other viruses floating around out there that we may be able to stop. For anyone sending them to me in the future, however, please LABEL them as viruses. Receiving brown paper wrappers of unlabelled disks in the mail is scary. Recently when Yale sent me some material to look at, they marked the disk "BAD VIRUS - DO NOT BOOT". That was great, and one of the few times someone has marked it for me. We generally place viruses on red disks and put a "Mister Yuck" sticker on them as well as labelling them viruses. Its easier to separate them. In the future, its dangerous to be sending viruses around, so we do discourage it, BUT if anyone wants us to work on theirs (this is not an ad, I don't get paid for it) I'd like to change the address they've been going to. Send them to P.O. Box 2423, Lehigh Valley Pa, 18001. This will make it easier for me to separate what are viruses and what are not. Also, if you send me something, please send me some background information, "I found it ____, and it infected ___ disks, on ___ date" or "I wrote this for you to look at" and so on. I've found a lot of programs that I can't trace back anywhere because all I've gotten is a disk and a postmark. As for sending disks around, we can better control who has copies or reviews the virus in a conference situation, so I'd prefer people see them there. I don't intend on sending out copies of the Lehigh Virus or the Brain Virus (which I've received NUMEROUS calls for) unless you are "okay'd" by the government or have a real need for something. Otherwise, we can discuss it at the conference. Thanks, Loren Keim ========================================================================= Date: Tue, 23 Aug 88 14:12:15 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Loren K Keim -- Lehigh University Subject: Computer Law Some legislation regarding computer security that people may want to check on: Public Law 93-579 Privacy Act of 1974. Goldwater-Koch Bill (HR 1984) Loren Keim ========================================================================= Date: Tue, 23 Aug 88 14:08:11 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Jim Marks Subject: Re: Mail Order In-Reply-To: Message of Mon, 22 Aug 88 16:10:00 EDT from I, too, have been getting unusual distributions. Just now, I got second (at least) copies of 3 entries from last week (from Ken, Amanda Rosen, and Loren). I don't know what mailer is doing this. I believe I get my stuff straight from the mailer at LEHIGH, but I don't really know how all the distribution works. ========================================================================= Date: Tue, 23 Aug 88 14:32:21 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Loren K Keim -- Lehigh University Subject: Yale Virus Correction Excuse me, I didn't fully explain where the boot sector was put by the Yale Virus. It is put on Sector 8 of Track 40, EVEN if it is an 80 track disk. Even more interesting is that it doesn't mark this sector as being bad. If something is in this sector, it doesn't check, it just writes right over it. Loren ========================================================================= Date: Tue, 23 Aug 88 13:38:01 CST Reply-To: Virus Discussion List Sender: Virus Discussion List From: Claudia Lynch Subject: Re: distribution In-Reply-To: Message of Mon, 22 Aug 88 07:54:16 EDT from I, too, have had strange things happening with my mail from the virus list. In my case, I have been receiving duplicates of things. Any thoughts on this matter? Claudia Lynch Academic Computing Services University of North Texas Denton, Texas ========================================================================= Date: Tue, 23 Aug 88 15:05:41 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Loren K Keim -- Lehigh University Subject: Scary Fact about the Yale Virus Here is something that should scare people about viruse propogation. The version of the Yale virus that we have tells us that it is the 15th generation of the virus. There is a counter that keeps this information. (The value of the counters found at Yale were 212 through 215). Figuring that each copy made 2 of itself and knowing how it figures out its own generation, the number of copies out there is about 15 2 which translates into an aweful lot of copies of this virus if these figures are correct, and means that Yale was not the first place to encounter this virus. A way to tell if you have the virus, when you warm reboot, the screen is set to 40 column mode for a split second. Watch for it folks, Loren ========================================================================= Date: Tue, 23 Aug 88 16:22:00 EST Reply-To: Virus Discussion List Sender: Virus Discussion List From: Chris Bracy Subject: Slight correction on Yale Virus. The generation on my disk is 15 hex not decimal. Also the note I saw said they didnt find any earlier than 12H. This would seem to indicate that either it didnt start at 0, or there is a good chance it didnt start at Yale. We're interested in finding out more about where it did come from, so here are some specifics on spotting it... On computers with CGA adapters on a warm boot when it infects a disk (or attempts to infect and doesn't) it will put the screen into 40 column mode for about a second (on an 8Mhz PC). The generation count is a word located at 1F8 into the code. (Into the boot sector). Also it doesnt overwrite (re-infect) itself. Chris. *==============================*======================================* | Chris A. Bracy | Student Consultant | | (215) 758-4141 | Lehigh University Computing Center | | Kcabrac@Vax1.cc.Lehigh.Edu | Fairchild Martindale Bldg. 8B | | Kcabrac@LehiCDC1.Bitnet | Lehigh University | | CAB4@Lehigh.Bitnet | Bethlehem, PA 18015 | *==============================*======================================* ========================================================================= Date: Tue, 23 Aug 88 16:28:31 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "David A. Bader" Subject: Re: Viruses in the Mail >As for sending disks around, we can better control who has >copies or reviews the virus in a conference situation, so I'd >prefer people see them there. I don't intend on sending out >copies of the Lehigh Virus or the Brain Virus (which I've received >NUMEROUS calls for) unless you are "okay'd" by the government >or have a real need for something. Otherwise, we can discuss >it at the conference. > >Thanks, > >Loren Keim How can you ask for an OKAY from the government on people??? Who okay's you to receive these viruses? Living in the same city as you, it scares me, and the rest of the computing vicinity, that these viruses are being so uncarefully handled. I just hope that my brother hasn't used any floppy disks that you might have handed him in conjunction with my computer.... If you *really* wanted to educate us, you would make a fact sheet about *all* the viruses you know of (containing infection schemes, sizes, generations, geographical siting, detection of, remedies, etc.) and let the discussion list add to it. Also, what is the synopsis of Goldwater-Koch Privacy Act?? If you like, I have pages and pages of government document references on computer security type subjects and maybe we can compile a "government revue" on viruses and such together. David A. Bader DAB3@LEHIGH ========================================================================= Date: Tue, 23 Aug 88 18:13:04 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Jim Marks Subject: Re: Virus Immunizer Add In-Reply-To: Message of Tue, 23 Aug 88 00:41:00 EST from Well, that is certainly a pretty impressive CLAIM. However, after reading (usually passively) a good deal of the postings here on the list, I would tend to think it a little optimistic. Of course, it is hardly the first such claim in computer software advertising. At $99, I would hope the program would be fairly sophisticated and useful in preventing many (or at least some) viral infections. However, I believe that ANY security scheme can be broken with enough effort. About the only ABSOLUTE security (if there is such a thing) wwould be physical security of the system, with only the use of material (program OR data) which had been verified to be virus- (or other type bug-) free. And that even probably isn't possible. As for the liberal money-back guarantee: it may be good, but it is only as good as the company. In other words, it can be like the "life-time" member- ship to the health spa that goes out of business 6 months after you join; the problem is in the definition of "lifetime". ========================================================================= Date: Tue, 23 Aug 88 19:05:53 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Jim Marks Subject: Re: Anti-Viral Package Claims In-Reply-To: Message of Tue, 23 Aug 88 13:39:40 EDT from That is a good point about whether the money-back guarantee is really worth anything. The redemption rate on such guarantees is, I believe, quite low in most all fields. The computer software field is probably no different. As to the lifetime of computer software firms, we KNOW that this is in many (probably most) cases quite short. Therefore, there is a good chance the firm won't be around for 5 years. As to selling software here; it is not appropriate. What IS appropriate is for users of software reporting (positively or negatively) on how it performs. Of course, its human nature that we usually hear more of the negative. (Or it could be just that there IS more negative when it comes to the vast array of software). ========================================================================= Date: Tue, 23 Aug 88 19:58:56 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Loren K Keim -- Lehigh University Subject: Controlled Study of Viruses David Bader: > Living in the same city as you, it scares me, and the rest > of the computer vicinity, that these viruses are being so > uncarefully handled. I am very offended. We take the utmost care in isolating virus programs and in studying them. We set up a computer in my Coopersburg office (which you should be familiar with) which is connected to nothing whatsoever so that we can play with them in a controlled environment. We have no programs on disk there, and nothing gets transfered from there so there is no risk of propogation. I debated whether to send this directly to David or to the entire list, and I feel that the list should know that we NEVER compromise on security. I had just gotten through explaining that some of the people who have submitted viruses to us should be more careful about how they are sent, and that we will not give out copies of the Lehigh virus or Brain virus, and you tell me that the computing vacinity is scared of me? I just want to make sure that no one accuses me of the same thing Fred Cohen has been accused of countless times. I do not test viruses on public machines, only dedicated machines which are connected to NOTHING whatsoever. > If you *really* want to educate us, you would make a fact > sheet about *all* the viruses you know of (containing > infection schemes, sizes, generations, geographical > siting, detection of, remedies, etc.) As I said about two weeks ago on this list, and we discussed it at length, I am putting together such a list. One of the reasons we are getting viruses in the mail is because people are helping me to add to the list. We debug them, figure out what makes them tick, compare them to similar viruses and do a write up on them for the list of viruses. Unfortunatly, this list is taking longer than anticipated. Once again, however, I would like to ask anyone to send me information about their virus sitings, please be specific. Please forgive the rather angry tone, I don't like being accused of viral propogation... at least not after all the work I have gone through to make certain nothing propogates. Loren ========================================================================= Date: Tue, 23 Aug 88 21:05:57 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: David.Slonosky@QUEENSU.CA Subject: REFERENCE TO PUBKEY MAILING LIST In-Reply-To: >A RECENT VIRUS-L MSG MENTIONED A PUBLIC KEY CRYPTO MAILING LIST. >I TRIED TO MSG THE NAME THAT WAS QUOTED AND GOT MY MSG BOUNCED. >ANYBODY HAVE ANY FURTHER INFO ON PUBKEY??? > >/JC ON JIM@ISS.NUS.AC.SG Yeah, I had the same problem. Maybe if the author of the original item is reading these notes, then they could help out. Was the address a BITNET address, or what? David Slonosky/QueensU/CA,"",CA | Know thyself? | | If I knew myself, I'd run away. | ========================================================================= Date: Tue, 23 Aug 88 21:07:02 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: David.Slonosky@QUEENSU.CA Subject: Openness; Viruses and Software Companies; Insurance In-Reply-To: > As far as the origins of PC viruses are concerned, one has to ask if >there is anyone out there who can reap financial gains from viruses. >The answer is yes. Companies that sell software are competing with >freeware. If they can make people afraid of freeware (because of risk >of virus infection), then they can sell more software (including the >antidote for particular viruses, including any they may have written and >released themselves in trojan-horse freeware or apparently pirated >versions of their own software). Would a software company resort to such >tactics? What are the risks of such a company getting caught by someone >tracing trojan-horse freeware back to it? > > >Steven C. Woronick >Physics Dept. >SUNY @ Stony Brook >Stony Brook, NY 11794 What an evil thought, which means there's a good chance it's happened at least once. Talk about your market forces... David Slonosky/QueensU/CA,"",CA | Know thyself? | | If I knew myself, I'd run away. | ========================================================================= Date: Wed, 24 Aug 88 00:30:01 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: David.Slonosky@QUEENSU.CA Subject: Computer Virus Research Is the academic based research of computer viruses a big thing in the States? In Canada? Anywhere? By "academic based", I mean is there a specific portion of a university computing science department devoted to unravelling the code of these things, inventing security measures to prevent their spread, hiring graduate students to write/examine them, applying to major industries for grants to combat them, and so on. Just curious. If this violates national security or something, then you don't have to tell me. Is Lehigh like this? All the contributors have obviously been exposed to the Lehigh virus or know of it. David Slonosky/QueensU/CA,"",CA | Know thyself? | | If I knew myself, I'd run away. | ========================================================================= Date: Wed, 24 Aug 88 01:36:00 EST Reply-To: Virus Discussion List Sender: Virus Discussion List From: ZDABADE@VAX1.CC.LEHIGH.EDU Subject: RE: Re: Virus Immunizer Add When you discuss a package such as the IMMUNIZER for a hundred bucks, how can it have as much sophistication and road testing as FluShot (for free)??? And we *know* how many problems Ross Greenberg has had with getting FSP to work with ALL types of systems... David /-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\ | From: David A. Bader, Studentis Maximus | | | | DAB3@LEHIGH SloNet: 1402 Lorain Avenue | | ZDABADE@VAX1.CC.LEHIGH.EDU Bethlehem, Pa. 18018 | | HACK!DAB@SCARECROW.CSEE.LEHIGH.EDU | | | | SchoolNet: Box 914, -On a mostly harmless | | Lehigh University, blue green planet... | | Bethlehem, Pa. 18015 -And loving it! | \________________________________________________________________________/ ========================================================================= Date: Wed, 24 Aug 88 01:42:00 EST Reply-To: Virus Discussion List Sender: Virus Discussion List From: ZDABADE@VAX1.CC.LEHIGH.EDU Subject: RE: Controlled Study of Viruses Loren, You seem fine with a word processor, but how do people *really* know that what you say is true and that you would *never* spread a virus??? I mean sending an unknown person a lot of viruses is a potential for danger. I know you and know that you would never release a virus on any system, but can you see the situation that would arise if someone else out there also got a copy of the viruses "to study" but instead had other plans for them! As it stands, sending you viruses HAS to be a weak link in security because I doubt that most of the places sending to you have even met you in person. David /-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\ | From: David A. Bader, Studentis Maximus | | | | DAB3@LEHIGH SloNet: 1402 Lorain Avenue | | ZDABADE@VAX1.CC.LEHIGH.EDU Bethlehem, Pa. 18018 | | HACK!DAB@SCARECROW.CSEE.LEHIGH.EDU | | | | SchoolNet: Box 914, -On a mostly harmless | | Lehigh University, blue green planet... | | Bethlehem, Pa. 18015 -And loving it! | \________________________________________________________________________/ ========================================================================= Date: Wed, 24 Aug 88 01:49:00 EST Reply-To: Virus Discussion List Sender: Virus Discussion List From: ZDABADE@VAX1.CC.LEHIGH.EDU Subject: RE: Computer Virus Research >Just curious. If this violates national security or something, then >you don't have to tell me. Is Lehigh like this? All the contributors >have obviously been exposed to the Lehigh virus or know of it. I assume that most of the Lehigh students, graduates, and staff members at Lehigh University who subscribe here are interested in the Lehigh virus because it was a new curiosity for us to explore. David /-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\ | From: David A. Bader, Studentis Maximus | | | | DAB3@LEHIGH SloNet: 1402 Lorain Avenue | | ZDABADE@VAX1.CC.LEHIGH.EDU Bethlehem, Pa. 18018 | | HACK!DAB@SCARECROW.CSEE.LEHIGH.EDU | | | | SchoolNet: Box 914, -On a mostly harmless | | Lehigh University, blue green planet... | | Bethlehem, Pa. 18015 -And loving it! | \________________________________________________________________________/ ========================================================================= Date: Wed, 24 Aug 88 14:04:06 MEZ Reply-To: Virus Discussion List Sender: Virus Discussion List From: Konrad Neuwirth Subject: Question i have a question just out of curiosity. Whaat happens if i have a virus (not knowing it), and a secund virus comes to infect the system, too ? Do I get virus wars? Does one kill the other ? do both work on my system and kill it? Do both write themselves on new disks? thank you /konrad ========================================================================= Date: Wed, 24 Aug 88 08:19:54 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Ken van Wyk Subject: Re: Question In-Reply-To: Your message of Wed, 24 Aug 88 14:04:06 MEZ > i have a question just out of curiosity. > Whaat happens if i have a virus (not knowing it), and a secund virus comes > to infect the system, too ? Do I get virus wars? Does one kill the other ? > do both work on my system and kill it? Do both write themselves on new disks? That all depends on how the two viruses function. For example, if one of the two viruses infects the boot track and another appends itself onto executable files, then it's certainly possible to have two active viruses on one system. Each one would act independently of the other. If they both infect the boot track, however, then the results would depend on how "well" each virus is written. That is, if they go to great extremes to make sure that the existing boot track is stored in an unused place, and that it gets executed normally, then it's possible that both would function normally. It would seem more likely, however, that the end result would be a no-longer-bootable disk... The bottom line is that it depends on how the two viruses were written. Ken Kenneth R. van Wyk Calvin: Lets see what happens if we cook User Services Senior Consultant popcorn without a lid! (POP!) Lehigh University Computing Center Calvin: Wow, that's more fun than Internet: exploding a potato in the microwave! BITNET: Hobbes: Lets do some more! ========================================================================= Date: Wed, 24 Aug 88 09:49:10 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Joe McMahon Subject: Re: Virus Immunizer Add In-Reply-To: Message of Tue, 23 Aug 88 18:13:04 EDT from > ... ANY security scheme can be broken with enough effort. About the only >ABSOLUTE security (if there is such a thing) would be physical security of >the system... Laugh if you wish, but in this month's MacUser, I saw an ad for something that locks down over the floppy slot on a Mac SE to keep people from putting potentially nasty diskettes into it. I suppose if you unplug the modem and are sure the hard disk is clean, it'll stay clean, but it still gives me a bit of a chuckle...Rampant paranoia, anyone? I can see some poor sucker whose boss has started seesing viruses crawling out from under the furniture getting one and refusing to take it off... :-). --- Joe M. ========================================================================= Date: Wed, 24 Aug 88 10:04:34 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Joe McMahon Subject: Re: Question In-Reply-To: Message of Wed, 24 Aug 88 14:04:06 MEZ from >Whaat happens if i have a virus (not knowing it), and a secund virus comes >to infect the system, too ? Do I get virus wars? Does one kill the other ? >do both work on my system and kill it? Do both write themselves on new disks? I can't say anything about PC viruses, but the Mac viruses I know about would have no trouble with such a situation. The cleanup programs might, though! --- Joe M. ========================================================================= Date: Wed, 24 Aug 88 08:40:00 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Shawn V. Hernan" Subject: copies Why am I getting *two* copies of all the virus-l postings? Shawn Hernan valentin@pittvms.bitnet ========================================================================= Date: Wed, 24 Aug 88 10:27:54 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Bill MacDonald Subject: Dup Mail I have also been recieving the same mail 2 to 3 times. ========================================================================= Date: Wed, 24 Aug 88 10:35:26 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Ken van Wyk Subject: More administravia (re: duplicate mail) Heavy sigh! After much experimentation, I've been able to definitively isolate the mail duplication gnome to be hiding between here and the BITNET/ARPANET gateway. It does, however, appear to have been fixed. Please let me know if anyone gets a duplicate of *this* particular message. For anyone who's interested - I tried sending mail directly from LEHIIBM1 (where VIRUS-L originates) to my own Internet account on spot.cc.lehigh.edu. I found that one message was being sent. Also, my own account was only receiving one copy of all VIRUS-L mail. So, the duplication was happening somewhere in BITNET. Next, I received several headers from people receiving duplicate mail (thank you all!) and saw that the headers were all identical. More importantly, though, all of the affected people had similar mail paths. One person told me that mail from other sites was not being duplicated. Since we're on a small "leg" off of the BITNET, chances were pretty good that the problem was somewhere there... Finally, I sent myself mail on my Internet account, but I directed it through the INTERBIT (INTERNET/BITNET) gateway at CUNY. I received a duplicate copy of my own mail. I *suspect* that it was the CUNYVM mailer that was doing it, but I could be wrong. It has been having other problems lately, I'm told. When I again tried my loopback test this morning, I got no duplicate mail, and the mail went through CUNY in a matter of seconds. I believe that the problem is fixed. Once again, I apologize to all who were inconvenienced by this. I hope that we've seen the end of it. Ken Kenneth R. van Wyk Calvin: Lets see what happens if we cook User Services Senior Consultant popcorn without a lid! (POP!) Lehigh University Computing Center Calvin: Wow, that's more fun than Internet: exploding a potato in the microwave! BITNET: Hobbes: Lets do some more! ========================================================================= Date: Wed, 24 Aug 88 10:38:00 EST Reply-To: Virus Discussion List Sender: Virus Discussion List From: ZDABADE@VAX1.CC.LEHIGH.EDU Subject: RE: Re: Virus Immunizer Add > >> ... ANY security scheme can be broken with enough effort. About the only >>ABSOLUTE security (if there is such a thing) would be physical security of >>the system... >Laugh if you wish, but in this month's MacUser, I saw an ad for something >that locks down over the floppy slot on a Mac SE to keep people from putting >potentially nasty diskettes into it. I suppose if you unplug the modem and >are sure the hard disk is clean, it'll stay clean, but it still gives me >a bit of a chuckle...Rampant paranoia, anyone? I can see some poor sucker >whose boss has started seesing viruses crawling out from under the furniture >getting one and refusing to take it off... :-).> > >--- Joe M. Putting locks on a floppy drive can be sensible in a "big business" type situation to make sure that unauthorized I/O access is disallowed. This security is kind of mirrored in some brands of PCs that have key locks on their frames that won't allow bootup with being "unlocked" first or physically can't be opened (without total destruction of the hardware) without the key. David /-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\ | From: David A. Bader, Studentis Maximus | | | | DAB3@LEHIGH SloNet: 1402 Lorain Avenue | | ZDABADE@VAX1.CC.LEHIGH.EDU Bethlehem, Pa. 18018 | | HACK!DAB@SCARECROW.CSEE.LEHIGH.EDU | | | | SchoolNet: Box 914, -On a mostly harmless | | Lehigh University, blue green planet... | | Bethlehem, Pa. 18015 -And loving it! | \________________________________________________________________________/ ========================================================================= Date: Wed, 24 Aug 88 10:00:30 CDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Frank San Miguel Subject: Re: Openness; Viruses and Software Companies; Insurance In-Reply-To: Your message of Tue, 23 Aug 88 21:07:02 EDT I'd always thought that such a proposition would be a bit preposterous, but in these times, anything goes. You've got a good point. ========================================================================= Date: Wed, 24 Aug 88 10:49:15 CDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Frank San Miguel Subject: Re: copies In-Reply-To: Your message of Wed, 24 Aug 88 08:40:00 EDT You too? In a few cases, I'm getting three of four. ========================================================================= Date: Wed, 24 Aug 88 10:42:37 CDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Frank San Miguel Subject: virus chronology I'm working on a chronology of the virus from John Von Neumann's conception of them in 1948 to the present. I would like to hear from anyone who has any dates, references, or comments concerning this compliation. All submissions are greatly appreciated Frank San Miguel(acs1s@uhupvm1.bitnet) ========================================================================= Date: Wed, 24 Aug 88 10:52:00 CDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Gordon Keegan Subject: Re: More administravia ... Ken, I just got 2 copies of your message on trying to isolate the source of the duplicate mailings. Sorry about posting to the list but my mailer won't send directly to you. Gordon Keegan c145gmk@utarlg.bitnet University of Texas, Arlington << standard unclaimer >> (I always was getting my prefixes mixed up...) ========================================================================= Date: Wed, 24 Aug 88 17:39:04 GMT Reply-To: Virus Discussion List Sender: Virus Discussion List From: DECLAN DELAMERE Subject: Re: distribution In-Reply-To: Message of Mon, 22 Aug 88 07:54:16 EDT from Ogata et al.: One gets used to receiving messages completely out of sequence when one subscribes to trans-atlantic distribution lists from European nodes!!! :-( D ========================================================================= Date: Wed, 24 Aug 88 12:44:46 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Loren K Keim -- Lehigh University Subject: Computer Virus Research Questions David Slonosky: > Is the academic based research of computer viruses a big thing > in the States? In Canada? Anywhere? > By "academic based", I mean is there a specific portion of a > university computer science department devoted to unravelling the > code of these things, ... The group of us that study viruses at Lehigh University are not a section of the computer science department. In the general sense, we have been working in the field as consultants for a number of years. Some of our clients include government bodies. When such a large security problem as the "virus" makes itself known, we have to study it in order to come up with some effective way of combatting it. Its very important that we CAN combat it. David Bader: > I assume that most of the Lehigh students, graduates, and > staff members at Lehigh University who subscribe here are > interested in the Lehigh virus because it was a new curiosity > for us to explore. I highly doubt it. When Chris Bracy, Joe Sieczkowski, Mitch Ludwig and I ran around Lehigh campus for 48 hours trying desperately to stop the virus from spreading (it spread at an incredible rate), we were, as was the Computer Center Staff, more worried about the danger to research at Lehigh. Most of the follow up interest in the virus was money or recognition. Several people came to Lehigh to find out about the Lehigh virus so they could make money from anti virus programs. Several others became involved because of the publicity that came out of the virus. Viruses are a curiosity, but I would rather find a way to stop the curiosity that play with it. As for some questions about national security. We are prohibited by law of giving out certain viruses. We are not allowed to distribute the Lehigh Virus without the "ok" of the government as I am told. I spent some time on the phone quite a while ago with different agencies and that was the general idea. Loren ========================================================================= Date: Wed, 24 Aug 88 12:49:34 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Loren K Keim -- Lehigh University Subject: Re: Virus Immunizer Add > When you discuss a package such as the IMMUNIZER for a hundred > bucks, how can it have as much sophistication and road testing > as FluShot (for free)??? Well David, There are quite a few anti-virus programs which sell for 200-400 dollars. The reason some sell for so much is that they are worth more. I believe Ross Greenberg's FluShot is shareware, so I believe he asks you to send in some sum of money. I don't recall it being free. But even if it is, is it worth trying a package that has failed so often before? FS is an interesting package, but it isn't all that powerful in comparison with some of the packages on the market. For a corporate market, often they might want a shell of some kind to make sure nothing comes through. There are packages that have had extensive testing by the NSC I'm told, there are packages that utilize DER encryption schemes which is much better than trying a simple CRC. I would pay at least 5 times as much for a DER encryption than for a CRC scheme. You have to realize that the value of the product is worth what was put into it. Loren ========================================================================= Date: Wed, 24 Aug 88 12:54:16 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Loren K Keim -- Lehigh University Subject: Dualing Viruses Konrad, You raised a very interesting question with two viruses on the same machine. Several people, I believe, have already answered the question, but I'd like to point out that the game Corewars is an example of what you are talking about in some ways. For anyone who hasn't played the game Corewars, or seen its write-up a few years back in Scientific American, the idea is to write assembly-like programs which look for other programs and destroy them. People can have programs dual and destroy each other. Its a very interesting and challenging game to come up with the perfect program. Loren Keim ========================================================================= Date: Wed, 24 Aug 88 13:00:31 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Loren K Keim -- Lehigh University Subject: Accidently Releasing Viruses > As it stands, sending you viruses HAS to be a weak link > in security because I doubt that most of the places sending > you have even met you in person. If you are so worried about me leaking viruses, please keep your distance. In point of fact, as I said just two days ago, it is unwise to send viruses around. I said that I didn't appreciate the one virus I received in a brown wrapper with no letter and no disk label. This annoyed me. I didn't say "Send me all your viruses". Please look at the context of my letters before you critisize. (I'm taking complaints on my replies to you!) If you don't trust me to handle viruses, that is just fine and isn't the point. I have been called upon to handle viruses in the past, and I was called by one person today who had a problem and I will continue to deal with these viruses. I understand the security risks associated with giving out viruses, that is why people generally send viruses to Fred Cohen or Chris Bracy or me or someone who has dealt with virus problems in the past. Loren ========================================================================= Date: Wed, 24 Aug 88 11:44:51 CDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "James N.Bradley" Subject: Re: More administravia (re: duplicate mail) In-Reply-To: Your message of Wed, 24 Aug 88 10:35:26 EDT I got two copies. Jim Bradley ========================================================================= Date: Wed, 24 Aug 88 13:28:10 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Ken van Wyk Subject: update on mail duplication woes... :-( Well, it turns out that I jumped the gun a bit when I said that all was fixed. But, then, that's quite apparent by now... It also turns out that several lists are experiencing the same problem right now (according to a LISTSERV group of list maintainers), and no one really knows what the cause is. That doesn't explain why some of my personal mail has been getting duplicated, however... So, until the problem gets fixed (it's quite out of my hands I'm afraid), lets please just try to bear with it. Discussing it on the list only adds insult to injury. Thanks again to everyone who's been sending me headers and additional info! Ken Kenneth R. van Wyk Mom: *RISE AND SHINE, CALVIN!* User Services Senior Consultant Calvin: Mbbgglkjsfdfy! Lehigh University Computing Center Mom: The early bird catches the worm! Internet: Calvin: Great incentive! BITNET: ========================================================================= Date: Wed, 24 Aug 88 14:06:52 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Otto Stolz +49 7531 88 2645 Subject: NETiquette Hello everybody, from all the lists I've subscribed, VIRUS-L delivers by far the most messages per day, and it takes considerable time to keep in pace. Please help all make browsing through all this mail a bit easier and faster. 1. Please discuss technical matters, as distributing problems, privately with the list owner -- Ken Van Wyk and perhaps Jim Eshleman , in this case -- and do NOT bother every subscriber with it. When Ken needs evidence from other sub- scribers, he will certainly tell us so (that makes one note instead of a dozen). 2. Please use the subject field sensibly. When you report/discuss details prevalent to a specific brand of hardware or software, please indicate so in the Subject field. In many cases, I could figure out this indispensible bit of information hardly, or even not at all. You could do it e.g. in this way: > Subject: Super-duper Virus Killer available (MS-DOS) So all Mac userers could discard this one, immediately. (I'd appreciate especially, if this scheme worked the other way :-) Please keep discussion on this (technical) suggestion at a minimum, and no flames, please. Thanks! Otto Stolz ========================================================================= Date: Wed, 24 Aug 88 13:42:34 CST Reply-To: Virus Discussion List Sender: Virus Discussion List From: James Ford Subject: Hard Disks I have questions (gee..what a suprise!) If you formatted your hard disk into several partitions, and had one partition just for COMMAND.COM, IBMBIOS.COM, IBMDOS.COM, CONFIG.SYS, etc...., how effective would that be in slowing down the spread of virii? If you ran MIRROR (or something similar) for your extended DOS partition (which is logical drive "D" now), how effective would this be for restoring any data that was destroyed? If you ran MAPMEM (which shows hooked vectors), could you see what vectors a virus might have hooked for itself? Could you then free up that portion by using RELEASE on it? (assuming you ran MARK first.....) Ken, I am still receiving 2 of every file....however, the time interval has increased from seconds to around 35 minutes between each file. James Ford Suggestive maintance: JFORD1@UA1VM "Gee, I wish it would work...." ========================================================================= Date: Wed, 24 Aug 88 13:31:20 CDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Len Levine Subject: Re: Controlled Study of Viruses In-Reply-To: Message from "Loren K Keim -- Lehigh University" of Aug 23, 88 at 7:58 pm >> Living in the same city as you, it scares me, and the rest >> of the computer vicinity, that these viruses are being so >> uncarefully handled. > >I am very offended. We take the utmost care in isolating >...(material deleted) > >Please forgive the rather angry tone, I don't like being >accused of viral propogation... at least not after all the >work I have gone through to make certain nothing propogates. > >Loren > Do not be offended, I also wondered how I could become government approved in order to receive copies of these viruses. Who is in charge? Why? If you want to hold these viruses close to your chest, then just say so. I have no problem with that. However do not imply that there is some sort of agency that you are connected with that checks up to see who is worthy. There is no such agency. + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + | Leonard P. Levine e-mail len@evax.milw.wisc.edu | | Professor, Computer Science Office (414) 229-5170 | | University of Wisconsin-Milwaukee Home (414) 962-4719 | | Milwaukee, WI 53201 U. S. A. Modem (414) 962-6228 | + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ========================================================================= Date: Thu, 25 Aug 88 09:27:00 H Reply-To: Virus Discussion List Sender: Virus Discussion List From: Living on a Prayer Subject: Dup Mails How about receiving the same mail 5 times !!?? And IBMPC-L digest is no small file. This is really very unhealth for the net. Marvin Wong ! Never assume for it will make wongkokh@nusdiscs ! an ASS out of U and ME csc30001@nusvm ! National University of Singapore ! Department of Information Systems and Computer Science ========================================================================= Date: Wed, 24 Aug 88 15:34:39 CDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Frank San Miguel Subject: Re: Openness; Viruses and Software Companies; Insurance In-Reply-To: Your message of Tue, 23 Aug 88 21:07:02 EDT Don't know if you heard this one, but here is something that sounds like what you were saying. Softgaurd Corp. was caught distributing a virus called SUG. SUG was advertised as a copy-protection breaker of Softguard products. Instead, the program scrambled FATs in an IBM; from drive A to the highest drive. Softguard claimed that since users trying out the program were breaking a licensing agreement, the company had the right to destroy data. Softgaurd's going to court. Frank San Miguel(acs1s@uhupvm1) ========================================================================= Date: Thu, 25 Aug 88 08:23:18 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Ken van Wyk Subject: Re: Hard Disks In-Reply-To: Your message of Wed, 24 Aug 88 13:42:34 CST > If you formatted your hard > disk into several partitions, and had one partition just for COMMAND.COM, > IBMBIOS.COM, IBMDOS.COM, CONFIG.SYS, etc...., how effective would that be > in slowing down the spread of virii? Not very effective at all, by itself. There is at least one anti-virus device which can (hardware) write protect a range of cylinders on your hard disk (i.e., a partition). It would definitely reduce the threat of a virus spreading if you could put your system files (and as many executables, overlays, etc.) on a write protected device like that. The problem is that it's not to convenient to use, and you should really understand what you're doing while you have the disk not write-protected. That is, while installing software on that partition, you're as open as ever to virus contamination. > If you ran MAPMEM (which shows hooked vectors), could you see what vectors > a virus might have hooked for itself? Could you then free up that portion by > using RELEASE on it? (assuming you ran MARK first.....) Sometimes. MAPMEM, by itself, only reports the most recently run program that is taking any one interrupt vector. That is, if two programs took INT 13H, then only the second one run would be reported. There is an accompanying (I think in the same package, by TurboPower Software) program called WATCH which causes MAPMEM to show all programs which have taken any particular interrupt. As long as a virus loads *AFTER* WATCH, then it should show any interrupts in use. The problem, however, comes in when a virus, such as a boot sector virus, is loaded before anything else. You won't be able to see any of the interrupts that they're using with tools like MAPMEM. MAPMEM, WATCH, MARK, RELEASE, and others that I can't remember the names of, are public domain programs released by TurboPower Software. They're written in Turbo Pascal and include source code. Good stuff. Ken Kenneth R. van Wyk Mom: *RISE AND SHINE, CALVIN!* User Services Senior Consultant Calvin: Mbbgglkjsfdfy! Lehigh University Computing Center Mom: The early bird catches the worm! Internet: Calvin: Great incentive! BITNET: ========================================================================= Date: Thu, 25 Aug 88 04:00:41 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Steve Subject: Safeguard and SUG Frank San Miguel related an incident involving a "virus" called SUG that scrambles FAT tables and generally destroys data. This is no reflection on Frank, but having never heard this before it seems hard to believe that a company could be so irresponsible. If it's true I wonder if it's a real virus (that propagates) or just a nasty program that reformats disks. Whether it propagates or not, it's clear that the program has no way of discriminating between someone simply trying to make a backup copy of a program (or perhaps trying to install it on a hard disk) and someone trying to make pirate copies of a disk. In any case, it would appear that the company has gone out on a limb by "taking the law into its own hands" rather than pursuing justice through legal channels. Even if it is justified in trying to protect its software, and even if it argues that legal channels are ineffective, that is no excuse for criminal action (releasing a malicious and destructive program). I would think that such a company would be no more justified than a mob lynching criminal. The criminal may deserve to die, but it should be handled through proper channels and the punishment must befit the crime, as determined by law. -------------------------------------------------------------------------- Steven C. Woronick | An extrapolation of its present rate of Physics Dept. | growth reveals that in the not too distant SUNY @ Stony Brook | future, Physical Review will fill bookshelves Stony Brook, NY 11794 | at a speed exceeding that of light. This | is not forbidden by relativity, since no 516-632-8133 | information is being conveyed. ========================================================================= Date: Thu, 25 Aug 88 10:00:00 EST Reply-To: Virus Discussion List Sender: Virus Discussion List From: ZDABADE@VAX1.CC.LEHIGH.EDU Subject: RE: Safeguard and SUG I made reference to the SUG incident in a previous message. I have some code and an article about this on a disk somewhere, and as soon as I find it, I will share it with you. Safeguard was traced to the situation because they had their company name and phone number in their code. (I don't think it was a virus, per se, that they released, but more of a trojan horse.) David /-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\ | From: David A. Bader, Studentis Maximus | | | | DAB3@LEHIGH SloNet: 1402 Lorain Avenue | | ZDABADE@VAX1.CC.LEHIGH.EDU Bethlehem, Pa. 18018 | | HACK!DAB@SCARECROW.CSEE.LEHIGH.EDU | | | | SchoolNet: Box 914, -On a mostly harmless | | Lehigh University, blue green planet... | | Bethlehem, Pa. 18015 -And loving it! | \________________________________________________________________________/ ========================================================================= Date: Thu, 25 Aug 88 10:05:50 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Jim Subject: Re: Safeguard and SUG In-Reply-To: Message of Thu, 25 Aug 88 04:00:41 EDT from I have a feeling that the program distributed by Softgard (if the report is true) is a Trojan Horse rather than a virus. Since most users will have to reformat after having their FAT's scrambled, I'm not sure the program could propagate. In any case, the company would not NEED to have the program propagate to accomplish their (assumed) ends. Even if it doesn't propagate, I agree that the practice is reprehensible. While I don't condone pirating of software, users should be able to make backups, which some copy protection schemes don't provide for. I've never particularly cared for copy-protected software anyway. Jim Marks ========================================================================= Date: Thu, 25 Aug 88 09:25:01 CDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Len Levine Subject: Re: Safeguard and SUG In-Reply-To: Message from "Steve" of Aug 25, 88 at 4:00 am >Frank San Miguel related an incident involving a "virus" called SUG that >scrambles FAT tables and generally destroys data. This is no reflection >on Frank, but having never heard this before it seems hard to believe >that a company could be so irresponsible. If it's true I wonder if it's >a real virus (that propagates) or just a nasty program that reformats >disks. Whether it propagates or not, it's clear that the program has no >way of discriminating between someone simply trying to make a backup copy >of a program (or perhaps trying to install it on a hard disk) and someone In Wisconsin, as in other states, a person may shoot to kill if and only if s/he feels that a life is threatened. (A reasonable person test is often invoked.) It is not permitted to do so to protect only property. That is to say, the response must be appropriate to the threat and the invoker of the response must take responsibility for his or her action. If a company does put out such a package that does harm to a user's computer, and if the harm is way out of bound compared to what is being protected, the company is due to be sued, either by a felon, using the program to steal, or, more to the point, by an innocent bystander who may well be using the program in a legal way, or who may be merely damaged by some uninteded side effect. In fact, if I was aware of such a problem with a commercial package, if I felt that a vendor was prepared to risk my computer for his protection, I would avoid the legal packages that the vendor sold, believing that there were some other dirty tricks hidden in the woodwork that had not bitten anyone yet. + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + | Leonard P. Levine e-mail len@evax.milw.wisc.edu | | Professor, Computer Science Office (414) 229-5170 | | University of Wisconsin-Milwaukee Home (414) 962-4719 | | Milwaukee, WI 53201 U. S. A. Modem (414) 962-6228 | + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ========================================================================= Date: Thu, 25 Aug 88 10:32:24 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: David.Slonosky@QUEENSU.CA Subject: SUG In-Reply-To: This is one of the programs documented in the "Dirty Dozen". When is the case coming to court? David Slonosky/QueensU/CA,"",CA | Know thyself? | | If I knew myself, I'd run away. | ========================================================================= Date: Thu, 25 Aug 88 09:28:48 CDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Len Levine Subject: Re: Safeguard and SUG In-Reply-To: Message from "VIRUS-L@LEHIIBM1.BitNet" of Aug 25, 88 at 10:00 am >I made reference to the SUG incident in a previous message. I have some >code and an article about this on a disk somewhere, and as soon as I >find it, I will share it with you. Safeguard was traced to the situation >because they had their company name and phone number in their code. (I don't >think it was a virus, per se, that they released, but more of a trojan horse.) > >David > Let's watch this. Should I assume that any electronic media message with someone's name and address in it was written by them? I don't think so. + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + | Ronald Regan e-mail len@evax.milw.wisc.edu | | Professor, Computer Science Office (414) 229-5170 | | University of Wisconsin-Milwaukee Home (414) 962-4719 | | Milwaukee, WI 53201 U. S. A. Modem (414) 962-6228 | + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ========================================================================= Date: Thu, 25 Aug 88 10:42:00 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: WHMurray@DOCKMASTER.ARPA Subject: Re: The First Virus In-Reply-To: Message of 19 Aug 88 10:39 EDT from "Loren K Keim -- Lehigh University" Loren, I am afraid that I cannot document it, and it may even have been apocryphal. (I was not a user of the net then.) But the first virus that I can recall hearing about was named the "phantom," and was said to have appeared in the arpanet in the very early seventies. After all these years I can no longer distinguish in my memeory between those characteristics that were attributed to the phantom and those that were simply discussed in its context. I can recall that I was not surprised at the time and that I was surprised at FC's assertion that his experiment was the first. Of course that is absurd on its face since "The Adolescence of P1" was published in the early 70's. It described "trapdoors," "Trojan Horses," and viruses in excruciating and withering detail. These were the "kernel of truth" on which the author hung his fantasy. Merle Miller quotes Harry Truman: "The only thing new in the world is the history you don't know." William Hugh Murray, Fellow, Information System Security, Ernst & Whinney 2000 National City Center Cleveland, Ohio 44114 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840 ========================================================================= Date: Wed, 24 Aug 88 17:14:48 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: James Mathiesen Subject: a new virus: I got this off the MacIntosh distribution list and know nothing else about it -- but I am curious if anybody here has heard of it or has any additional info. ----- -----forwarded msg----- From: C20254 @ UK.AC.PLYMOUTH.PRIME-B Date: 11-JUL-1988 20:52 Subj: Macintosh Infection at Seale-Hayne College >From : Joe Evison Micro Support Computing Service Plymouth Polytechnic Phone : (0752) 221312 Exn. 5441 Email : C20254@UK.AC.PLYM.B I have been asked to forward the following article on to you, in the hope that someone may be able to offer advice and/or assistance. The report concerns a recent outbreak of a Macintosh virus at Seale-Hayne College. We have been in touch with the local Apple Centre in Bristol, who in turn have contacted Apple UK's technical people, and it would appear that this particular virus is unknown to them. If anyone does have any information regarding this virus, could they mail either myself or Adrian Vranch at Seale-Hayne - his address is given in the report. Thank you, Joe Evison ----------------------------------------------------------------------------- Macintosh Infection at Seale-Hayne College Tsunami Virus Dr Adrian T Vranch Head of Computer Unit Seale-Hayne College, Newton Abbot, Devon TQ12 6NQ. England Tel: 0626 52323 ext 271 Email : P30414@UK.AC.PLYM.A 8th July 1988 Introduction The following notes describe the recent events leading up to the discovery of what appears to be a "virus" of some form which is present in the Macintosh Plus computers in use at Seale-Hayne College. This virus was discovered completely by accident on Wednesday 29th June 1988 and appears to have been present,but undetected, for at least six months prior to that date on a Macintosh network running under MacServe. This network has been accessed by over 150 staff and student users in that time. These notes are intended to help all Macintosh users by providing information about this virus in terms of: how users can determine if it is present what effects it appears to have how to get rid of it. Discovery of the Virus - The Story So Far The first clue to the presence of the virus came as a complete accident while using Apple File Exchange on a Mac Plus with external 20 Mbyte hard disk. Along with the Desktop file ( which is normally invisible ), System File and other files shown in the scroll window was a new, invisible file called Bostb be Evill. At the time I thought that this was rather strange but did nothing whatsoever on that day. Due to the unfriendly ring to the name of this file, my suspicions were aroused and the next day I ran the Ferret v1.0 program to check for Scores Virus. Vaccine had been installed and running for two weeks on this system. Ferret identified two files that were infected on the hard disk system: the main System file in the System Folder and a second System file ( used to create MacServe floppies ) in another folder called MacServe Folder. No changes to the Scrapbook or Note Pad icons had taken place, as discussed in the Scores Virus article by Howard Upchurch. However, following the advice in Howard's notes I checked for additional INIT resources in the infected System files using ResEdit. Sure enough, both contained an extra INIT with i.d.of 6 "LoadAT" ID=6 Howard suggests in his notes that INIT resources with i.d. of 6, 10 or 17 in a System file show that the file is infected. No extra Desktop file was found in the System Folder as described by Howard Upchurch in his notes relating to Scores Virus. Using the Repair option in Ferret, at the stage where infection was identified in the message box, removed the INIT resource with i.d. of 6. Subsequent runs of Ferret gave a clean bill of health for the whole disk, including these two System files. I later established that deleting the INIT i.d.of 6 resources using ResEdit would also remove "infection"as detected by Ferret. At this stage I deleted the Bostb be Evill file using ResEdit. I have never seen this file on any Macintosh since. My attention turned next to the College network of five Macintosh Plus computers sharing a 20 Mbyte hard disk and two Imagewriters. Since the MacServe System file on the separate Macintosh Plus had been infected I thought it likely that the System files on the network hard disk would be similarly infected. This proved to be true, again with the same INIT resource with i.d. of 6, again in the main System file and in the System file in the MacServe volume containing a System Folder for creating MacServe floppies for users. The infection dates given by Ferret were particularly interesting: main System file - Wed 29th June 1988 at 21:15 MacServe folder System file - Fri Dec 18th 1987 09:30. Assuming that these dates are correct, this shows that the virus had been present on this shared hard disk for at least six months, but had only transferred to the main System file itself the day before. As far as verifying the time is concerned, it is possible that someone was using the network at 21:15 hours ,as the room was open to users then. It is certain that the network was running at that time. At this stage, no files similar to the Bostb be Evill file were found on the MacServe network hard disk. The infection date of December 18th for the System file used to create MacServe floppies suggested that all such floppies created after that date would also be infected. On checking, I found that all MacServe floppies have an infected System file with the added "LoadAT" INIT resource, i.d.of 6. All users of these floppies have been notified of the problem. It would appear that the virus was first introduced to the MacServe network and that it was transferred in the MacServe folder copied to the separate Macintosh Plus with hard disk. From the MacServe folder on this separate Mac, the infection then spread to the main System file in this computer. The date when the Bostb be Evill file appeared is not known but I believe that this file appeared after the MacServe System file with the INIT resource "LoadAT" i.d.6 had been copied to the separate Macintosh and this belief is based on what happened next with the MacServe network system. On returning to the MacServe network and switching on to run Ferret again , no virus was found on the disk. However, ResEdit showed the existence of a new invisible file with a four character name of box symbols. The system was switched off then restarted the following day. Again, Ferret detected no virus but a further two invisible files had been added to the desktop and were shown using ResEdit. One had the same four character name of boxes and the other was called Tsunami. Apparently, this is the name of a Japanese tidal wave which starts in a small way and grows rapidly to engulf everything in its path - again not a very friendly name for an invisible file on disk ! I assumed that these three files were similar to the original Bostb be Evill file found on the other Macintosh but rather than delete them, I decided to use ResEdit to investigate. The results were very interesting: all three files had no apparent type or creator all three were locked, invisible,Bozo and File Protect selected all three had the same resource fork size of 286 bytes all three had the same data fork size of 512 bytes . Furthermore, all three showed a blank window when opened from the first ResEdit window. In other words, although they contained data and resources, ResEdit could not show them up. Effects of the Infection At first, it appeared that there were no specific problems caused by the infection. Examination of application CODE resources as described in the Scores Virus notes did not show any evidence of the added codes with i.d. numbers two greater than the next value, as described by Howard Upchurch. However, it has now become clear that this infection does appear to cause problems and several examples which may be caused by the virus are worth a mention: Macintosh Network Problems The MacServe system Imagewriter file became corrupted such that the Chooser could not see it as a printer option. Examination using ResEdit showed that the file had been significantly reduced in size ( Resource fork 3336 bytes ) compared with an uncorrupted file ( Resource fork 40246 bytes ). MacPaint document icons on MacServe volumes sometimes appeared as generic (i.e. blank) document icons, although this was only seen on a few occasions. Problems with the Separate Macintosh Plus System After "deleting" the Bostb be Evill file on the separate Macintosh Plus, many problems began to happen on that system: The System Bomb, ID 2 message appeared very frequently when opening a variety of applications. Previously, this has happened only rarely. During a session using MacWrite v5.0, part of the ruler would suddenly be corrupted, for example, the black background of the icon for "centre justified text" selected would suddenly be displaced a few millimetres to the left of the rest of the icon. When printing from MacWrite v5.0, the whole system would crash completely and the screen would be reduced to a white background with thin vertical lines. The MacWrite application itself became corrupted, such that attempting to open a MacWrite document caused the Finder to display a message that the Application was damaged. Examination with ResEdit caused an "Error opening a resource file" message [39] to appear. Running Ferret on this obviously sick Mac produced a clean bill of health, indicating that Ferret is perhaps limiting its examination to INIT resources with suspicious i.d. numbers. The System Folder on the separate Macintosh Plus was completely replaced two days ago and no problems were experienced in using that computer until yesterday. While using MacTerminal to receive E-MAIL and to send a copy of this document to Plymouth Polytechnic, I found that using the "Save As" option my filename was corrupted to four box symbol characters. I could not change these characters. The document appeared to be saved intact with this unwanted filename. This MacTerminal document is certainly corrupted but is it infected as well ? Removing the Infection Do not rely on Ferret or Vaccine to protect your files. They may not be able to detect all infections or corruptions. Do not assume that only System files can become infected. Do not assume that Applications files cannot be infected. They can certainly be corrupted. Do not assume that Document files cannot be infected. They can certainly be corrupted. To remove infection with confidence, replace ALL files on an infected disk with copies from uninfected backup floppies, with the write-protect tab open. In other words, start again completely and do not assume any file is safe from infection. The Current Situation at Seale-Hayne College The MacServe network hard disk and Macintosh server have now been isolated from the network itself. The additional invisible files, including Tsunami, have not been deleted and, as yet, have not been joined by any more colleagues. The MacServe volume on the network hard disk has been supplied with a System file which still contained the "LoadAT" INIT resource with i.d. of 6. This has been done as an experiment to see if this INIT resource transfers itself to the main System file on that hard disk. This system will be monitored closely for the next week or so. A virus-free Macintosh Plus with 20 Mbyte hard disk is now being installed in the Computer Unit, from which new systems will be issued. All Macintosh hard disks in College will be erased completely and fresh files re-installed from uninfected floppies. A new College policy is being introduced to minimise the risk of introducing or spreading any type of virus infection to College computers by screening all disks before they are allowed to be used. This will apply to IBM PCs and compatibles as well as Macintoshes and will be strictly enforced with no exceptions in terms of staff or student users. Conclusions I hope that the account of how I have approached my investigation into this infection is of help to other Macintosh users. Clearly, there may be many types of virus infecting our software and the details of how to find out if they are present or what they do may also vary. Nevertheless, by using a combination of ResEdit and Ferret and other products, it is possible to uncover infection. By replacing all files on an infected disk and by a sensible approach to keeping backups, it should be possible to get rid of this problem so that we can all get back to a normal working situation. *** These notes are intended for the widest circulation possible to Macintosh users. Please make as many copies as you wish and circulate them freely, on the one condition that the contents of this document may only be copied in full, with no additions or deletions. *** If you wish, please feel free to contact me, using my postal address or telephone number or E-MAIL address given at the beginning of this document. I am very keen to contact anyone who can help me overcome the problems caused by this sort of infection. ========================================================================= Date: Thu, 25 Aug 88 11:24:10 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: "David A. Bader" Subject: SUG When I said that the SUG affair was traced back to softguard through some data in the code, I was not implying that this was the sole reason. I have an article explaining this, but since I am in the middle of packing up and moving rooms for college, I won't be able to find the reference until next monday or so. But when I do, I will post it for your information. David Bader ========================================================================= Date: Thu, 25 Aug 88 12:11:00 CST Reply-To: Virus Discussion List Sender: Virus Discussion List From: "Dr. Howard J. Ramagli" Subject: RE: a new virus: I N T E R O F F I C E M E M O R A N D U M Date: 25-Aug-1988 12:07pm CST From: Dr. Howard J. Ramagli HRAMAGLI Dept: Info. Systems & Services Tel No: (901) 528-6392 TO: Remote GMAIL User ( _GMAIL%VIRUS-L@LEHIIBM1 ) Subject: RE: a new virus: A curious note on this new Mac Virus. The file spelling (Bostb be Evill) reminds me of the old Microsoft file protection scheme for either Multiplan or Microsoft File. Hope this is of some help. Howard ************************************************************************ * * * Dr. Howard J. Ramagli * * BITNET Info Representative * * Director, Technology Support Services * * Biomedical Information Transfer (BIT) Center * * University of Tennessee, Memphis, 877 Madison, Memphis, TN 38163 * * (901) 528-5024 * * HRAMAGLI@UTMEM1.BITNET U0282 on AppleLink * * * ************************************************************************ ========================================================================= Date: Thu, 25 Aug 88 19:04:00 EST Reply-To: Virus Discussion List Sender: Virus Discussion List From: ZDABADE@VAX1.CC.LEHIGH.EDU Subject: Re: Softguard I sorted through a thousand disks today and finally found the document on Softguard that I was referring to (under some cryptic filename!). Anyway, here is the memo, and enjoy! ------------------------------------------------------------------------------ Mark Garvin -- Xymetric Productions -- New York City 3-7-87 I guess I have stirred some interest with my recent messages to BBS's concerning Trojan horse programs. I have decided to write the following file in the interest of warning others and hopefully finding clues to the origin of the programs. I have been operating a Priam 60 Meg hard disk on my AT for the past two years with good results. About four months ago, I encountered a Trojan horse program called HI-Q.COM which corrupted the FAT table on the disk. I lost access to the entire D: drive and the files and boot sectors on the C: drive were so badly damaged that I had to reformat the drive. Since there was nothing to be lost by trying the program again, I decided to confirm that HI-Q.COM was indeed the culprit. I ran a couple of the popular Trojan finders on the file first: Nothing. Thinking perhaps I was mistaken, I ran HI-Q under an INT13-trapper. No INT 13's were found and HI-Q ran normally. Upon rebooting the system, I found the same boot- sector errors, and CHKDSK again reported numerous cross-links, etc. I reformatted the drive and ran media checks to make sure the Priam was sound. After checking several other programs (I did NOT run the Trojan- testers or INT13-trapper again in case those were perhaps Trojan), I ran HI-Q.COM for the third time. Same results. This is enough for me: I'm convinced. Up until this point, I had heard of Trojan horses, but honestly doubted that there were actually competant computer programmers around who were wierd enough to write such a thing. I should also note that there is a program called HI-Q.EXE which has been tested by some boards, and is supposedly NOT a Trojan. I'm not going to try it on my hard disk system. The HI-Q.COM program may not have even been an intentional Trojan -- I'm willing to keep an open mind on the subject. Maybe it was incompetent programming, or perhaps someone ran SPACEMAKER or a similar program on the .EXE file to convert it to a .COM file, and inadvertantly created a Trojan. OK -- that's one thing.. The next Trojan I ran was DEFINITELY intentional. I had reformatted my Priam after the previous incident, and I haven't allowed the mysterious HI-Q program back on the system. However, I HAVE run numerous file-managers, etc. from local BBS's -- maybe I'm just a trusting individual, but I wasn't ready to give up on Public Domain or shareware software just yet. Recently, the Priam starting giving me trouble again: crosslinked and lost files, and no boot. I called Priam, hoping to get instructions for perhaps salvaging files on the D: drive, since the partition was destroyed. Priam's tech guided me through a HEX/ ASCII dump of the boot record via a trap-door in Priam's FDISK program. Needless to say, we were BOTH incredulous at the result. Dis-believers should look closely at the HEX/ASCII dump below. This was NOT retyped or altered in any way. After booting from floppy, I redirected printer output to a disk file. What you are looking at below is exactly what appeared on my screen after the crash. ____________________________________________________________________________ 0 = Master Boot Record, 25 = Extended Volume Record 1 - 24 = Volume Boot Record Enter number of record to display (0 - 25) : [ 0] D H 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF 0/ 0 EB 7D 53 4F 46 54 4C 6F 4B 2B 20 33 2E 30 0D 0A ..SOFTLoK+ 3.0.. 16/ 10 11 28 43 29 20 53 4F 46 54 47 55 41 52 44 0D 0A .(C) SOFTGUARD.. 32/ 20 53 59 53 54 45 4D 53 2C 20 49 4E 43 2E 20 0D 0A SYSTEMS, INC. .. 48/ 30 32 38 34 30 20 53 74 20 54 68 6F 6D 61 73 0D 0A 2840 St Thomas.. 64/ 40 45 78 70 77 79 2C 20 73 74 65 20 32 30 31 0D 0A Expwy, ste 201.. 80/ 50 53 61 6E 74 61 20 43 6C 61 72 61 2C 20 20 0D 0A Santa Clara, .. 96/ 60 43 41 20 39 35 30 35 31 20 20 20 20 20 20 0D 0A CA 95051 .. 112/ 70 34 30 38 2D 39 37 30 2D 39 34 32 30 10 07 00 FA 408-970-9420.... 128/ 80 8C C8 8E D0 BC 00 7C FB 8B F4 8E C0 8E D8 FC BF ......|......... 144/ 90 00 06 B9 00 01 F3 A5 EA D4 06 00 00 45 72 72 6F ............Erro 160/ A0 72 20 6C 6F 61 64 69 6E 67 20 6F 70 65 72 61 74 r loading operat 176/ B0 69 6E 67 20 73 79 73 74 65 6D 00 4D 69 73 73 69 ing system.Missi 192/ C0 6E 67 20 6F 70 65 72 61 74 69 6E 67 20 73 79 73 ng operating sys 208/ D0 74 65 6D 00 BE BE 07 B9 04 00 AC 3C 80 74 15 83 tem........<.t.. 224/ E0 C6 0F E2 F6 CD 18 AC 0A C0 74 FE BB 07 00 B4 0E .........t...... 240/ F0 CD 10 EB F2 4E 8B 14 8B 4C 02 BB 00 7C B8 11 02 ....N...L...|... Press to ABORT, any other key to continue . 0 = Master Boot Record, 25 = Extended Volume Record 1 - 24 = Volume Boot Record _____________________________________________________________________________ In the interest of justice, I would like to make the following obser- vations: 1) The MAIN phone no. for SoftGuard systems is: 408-970-9240, NOT 9420. The no. listed above is not in use. The message it gives IS the normal message for that area, even though it sounds like it is com- puter generated. The phone co. says it is actually registered to Siliconix, a Silicon Valley chip-manufacturer, who probably has no interest in Public Domain software or BBS's. 2) I called SoftGuard, and they gave me a Mr. Phelps-type message, disavow- ing any knowledge of any Trojan programs or of SOFTLok, etc. which they said is not an official product. However, they have not returned my calls requesting additional information, and a request to speak to some- one knowledgable about their software protection techniques has not been answered. This may mean either that the message was cooked up by some- one with a vendetta against SoftGuard (I don't know why!), or that Soft- Guard wants to be able to identify the source of the Trojan program by the information phoned in by irate people whose disks have just crashed. In my opinion, the juxtaposition of the phone no. digits could be caused by errors on the part of whoever wrote the Trojan program, whether it was within SoftGuard, or not. After restoring the hard disk, I scanned every file on it, and "SoftGuard" did not appear anywhere. The clever- ness in bit-shifting the ASCII digits, or otherwise disguising them, may also have resulted in the wrong phone no. 3) I have not, and will not, install SoftGuard programs on my disks. Also, I obviously do not have any reason to run any of the unprotect programs for SoftGuard, of which some are supposedly Trojans themselves (see below). I have no idea of which file of the 2,000+ files on my system was the origin of the message. As explained above, I have scanned them for ASCII text and I've come up with nothing so far. There are numerous warnings in circulation concerning SoftGuard Systems, manufacturers of the SuperLock copy-protection scheme. They SUPPOSEDLY upload Trojan programs to BBS's either to try to get their own form of justice against those who try to crack their software, or because they are just bitter about the numerous SoftGuard/SuperLock unprotectors which are circulating on the BBS's. Most of these Trojans have the name SUG.. (Soft-Un-Guard) or something similar. I did not originally believe that SoftGuard would be stupid enough to do such a thing. After all, a lesson should have been learned by the example of Prolok (another copy-protect manufacturer), who claimed that their new software would destroy the hard disk of anyone who tried to mis-use it. Most users, legitimate and other- wise, dropped them instantly, even though Prolok realized their grave error and retracted their previous advertising. After all, who wants to have their hard disk destroyed by accidently inserting the wrong key disk? The SUG programs mentioned are reported to say something like: "Courtesy of SoftGuard Systems .. So sue us!" -- after trashing the hard disk. My feelings about possibly casting doubt on the integrity of SoftGuard ? They did NOT convince me that they were blameless, and if they cared, they would have returned my phone calls. However, it MAY just be coincidence that a lot of the Trojan programs mention SoftGuard. Recommendations: Whether SoftGuard is at fault or not, they did not give me an adequate explanation of the rumors circulating about them, and they did not return my calls. I would recommend that individuals and companies stay away from SoftGuard/SuperLock, or any other copy-protect program which writes hidden, strange information onto their hard disks. Users of such copy-protected software should write or call the manufacturers and re- quest that the copy protection be discontinued. Explain to them that pirates will always crack copy-protection, and that only the legitimate users suffer from its use. If you work for a company that uses copy- protected software, why not get a print-out of this file and show it to the person in charge of purchasing software? If you DO have a hard disk crash, try to recover the boot-record on the disk before just giving up and reformatting. You may find something similar to the above. The manufacturer or vendor of your hard disk may be able to steer you through the proper procedure for doing this. Read this month's (March 1987) issue of 'Computer Language' for more information on Trojan horse programs. The article recommends contacting Eric Newhouse at THE CREST BBS regarding trojan horse programs. If you DO run into one, keep a copy of the file, and have a knowledgable BBS- user send it, and an explanation to Eric's BBS at 213-471-2518. DO NOT SEND THE FILE WITH ITS ORIGINAL NAME. The file name should be changed to something NOT ending in .EXE or .COM (how about .TRJ), and it should be sent to the attention of the SYSOP. This is usually done by waiting for the prompt to enter the file description, and starting the descrip- tion with '/'. Afterwards, also leave a comment to SYSOP which states the nature, and description of the file. In other words, don't inadver- tantly upload a Trojan program which could victimize others. Watch out for some of the so-called Trojan testers. The majority of these are legitimate, but a few of them are actually Trojans themselves. Also, before jumping the gun and assuming a program is Trojan, check other possible sources for disk errors, etc. Sometimes hard disk media just develops errors, and there ARE some programs circulating as 'jokes' which put a message up which says they are reformatting your drives, or even claim to be draining excess water out of your disk drives. Most of the nasty Trojan programs don't cause their damage immediately. They wait for the drive to fill up a bit, or they wait for a random time interval. In the latter case described above, I suspected a file manager that I had just run. It turns out that others have used the program with no ill effects. It seems to me that the future of PD software, as well as BBS systems is being threatened by this type of thing. A concerted effort on the part of SYSOPS to correlate the names and origins of people who upload Trojan software may help to track them down. Most BBS software keeps track of the names of people uploading software. I doubt that Trojan writers are stupid enough to list their real names, but it's time that some ingenuity was used in putting a stop to this. I am a serious software developer, and I have taken some time off to write this message in the interest of helping other PD software users. Unfortunately, I don't have the time to coordinate any effort in analysis of Trojan programs and I cannot be contacted by phone (unlisted), but if you DO run into something similar, or if you have questions about any of the info presented here, leave me a personal message on any of the larger BBS's in New York City, and I will try to reply on the same board. PLEASE DO circulate this file. It is important information for anyone running a BBS, or using Public Domain or SoftGuard/SuperLock software. ----------------------------------------------------------------------------- /-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\ | From: David A. Bader, Studentis Maximus | | | | DAB3@LEHIGH SloNet: 1402 Lorain Avenue | | ZDABADE@VAX1.CC.LEHIGH.EDU Bethlehem, Pa. 18018 | | HACK!DAB@SCARECROW.CSEE.LEHIGH.EDU | | | | SchoolNet: Box 914, -On a mostly harmless | | Lehigh University, blue green planet... | | Bethlehem, Pa. 18015 -And loving it! | \________________________________________________________________________/ ========================================================================= Date: Fri, 26 Aug 88 02:35:46 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Steve Subject: SUG David: I stand corrected. I did hear of SUG previously --- from you on this list. Len Levine has a good point that just because a company's name is written all over a product, it doesn't mean that they are in anyway connected with it (Len, you misspellled Reagan :-). It is entirely possible that someone simply doesn't like SoftGuard and is trying to discredit them, unless SoftGuard is claiming responsibility (but even that isn't absolute proof that they did it --- maybe they only wished they'd done it). Does anybody know if SoftGuard is really claiming responsibility for the SUG thing? I could sort of understand if they elected not to say anything and just let people think that the boogie man will get them if they try to misuse SoftGuard products (whether or not they are actually responsible and even if I think it's bad public relations not to issue a disclaimer), but to take credit seems insane. I would think that by claiming responsiblity they would greatly simplify prosecution of an otherwise nearly impossible case. -------------------------------------------------------------------------- Steven C. Woronick | An extrapolation of its present rate of Physics Dept. | growth reveals that in the not too distant SUNY @ Stony Brook | future, Physical Review will fill bookshelves Stony Brook, NY 11794 | at a speed exceeding that of light. This | is not forbidden by relativity, since no 516-632-8133 | information is being conveyed. ========================================================================= Date: Fri, 26 Aug 88 10:39:02 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Jim Marks Subject: Re: Safeguard and SUG In-Reply-To: Message of Thu, 25 Aug 88 09:28:48 CDT from You make a good point. A particular problem with hacked code is the case where some malevolent person takes a useful piece of code (which, of course, will probably have the author's name prominently displayed) and hacks it into a trojan horse, time bomb, virus, or whatever. They don't remove the person's name and so he/she gets the blame. In general, I would not expect to see the REAL hacker's name in such a program. It's bad enough to plant such a destructive piece of code among users. What is probably even WORSE is trying to impugn (sp?) the reputation of a legitimate software author. I'm not sure that is what happened in this case, though. I only know what I've seen here. Jim Marks ========================================================================= Date: Fri, 26 Aug 88 15:59:00 EST Reply-To: Virus Discussion List Sender: Virus Discussion List From: ZDABADE@VAX1.CC.LEHIGH.EDU Subject: Random BBS virus memos Here is a short collection of virus memos that I found on some BBS's recently: Msg # 14 Dated 07-19-88 18:27:21 From: SHARON KLEGARTH To: ALL Re: VIRUS Last read at 09:02:35 on 07/28/88 It has happened....my system has a virus!! Am not sure where it was picked up from...but many strange things happened....in info sent to a log file parts of my diskcopy and diskcomp appeared....and my DOS disk disappeared...the disk with the file I sent my Procomm log to appeared in it's place....a file Trojan.arc...(bombsqad) is VERY good.... it showed me that something kept wanting to write to disk A, head 0, track 0, sector 1, number 1, data address 0070:15F7.....OFTEN...even when reading my directory...or trying to load a file...not every time, mind you...sometimes I had to do the function 10 or 20 times before it tried to write to disk A....sneaky little virus. I have an old DOS and a new d/l copy of bombsqad on it...booting it up when the system boots up... so now I have to go through all my disks to see what will have to be trashed...(formatted TWICE I have been told will get rid of the virus..) AND I am now using the write protect tabs I should have been using all along....sigh.... Sharon ------------------------------------------------------------------------- ------------------------------------------------------------------------- According to Keith Graham (author of TXT2COM, etc.) and Ross Greenberg who is the legitimate author of FLUSHOTx.ARC, there is a file in circulation under the name FLUSHOT4.ARC which contains a sophisticated TROJAN. Some unknown -- but very knowledgeable -- assembly language hacker has taken Keith's TXT2COM and modified it so that if the trojan file created with it (the one that Keith and Ross examined was named FLU4TXT.COM) is run, it will TRASH THE HARD DISK on that system when the program exits. Legitimate versions of FLUSHOT contain only ASCII documentation and not "executable text files". When the trojan file is scanned [or LISTed in hex mode], the string (without quotes) "XT2COM" will be found. Apparently, the missing "T" has been replaced by code which branches to the trojan portion of the file. Clearly it is possible for this file to be renamed and/or included within other archives (not to give the malicious children out there ideas, but...) and so please take precautions not only with any executable text files found in FLUSHOTx.ARC, but similar files found in other archives as well. Bulletin #1 on Mr. Greenberg's BBS on this subject is in FLU4TXT.ARC. Please disseminate this information as widely as possible. co-sysop, PC-Rockland BBS (914) 353-2176 [FREEBOARD] (914) 353-2157 [paid registration] -------------------------------------------------------------------------------- ------------------------------------------------------------------------------- Rouge program jams memories of computer network. Tampa fl (ap) A self propagating computer program is spreading like an electronic virus threatening to damage systems ranging from that at AT+T's regional headquarters to a computer club's floppy disks. "It kind of creeps up on you,"said Jeff White, president of the Tampa Amiga users group, Whoses membership was infiltrated by the small rogue program. A simuilar virus affected the vast network of computers at International Business Machines Corp.'s regional headquarters in Tampa last month. Virus is computer jargon for a self propagating set of oders devised by a saboteur and automatically copied from one computer disk to another, gradually taking up more and more memory space. The virus, programmed to wipe out thousands of files and years of research on Friday the 13th this may was inserted into Hebrew university computers in Jerusalem, said Isreal Adai, A senior programmer at the university's computer center. "It is the most devastating thing we've ever come across,"Aidia said last week. The Tampa Tribune reported yesterday that experts say they do not yet know what, if any .damage the virus can cause to previously stored programs or stored information. But it quoted one expert as saying a version of the virus was similar to the one found in Isreal, designed to to begin destroying files on Friday the 13th. White said the program was copied on to more than20 of his floppy disks before he dicovered it! By then the program had spread to the disks of many of the club members via their regular disk of the month distribution. In Isreal university computer experts devised two programs called "immune" and "unvirus" which tell users wheather there disks have been infected and applies an antedote to thoses that have. At IBM the virus took the form of an electronic chain letter that grew so large it slowed the company's computerized message system.A holiday message promised to draw a Christmas tree on the screen if someone would type the word "Christmas" on the computer.Instead the program kept repeating itself andspreading to other computers in the network. The IBM problem was stopped before it spread to other customers computers according to spokesman Frank Gobes. We haven't determined where it came from, said Frank. IBM's information network in Tampa servers as a hub for a large electronic system that is linked to machines from San Diego to Boston and from Miami to Seattle. It is also linked to computers outside the United States, Gobes said. The company installed an electronic filter to help prevent further breaches of its network. The filter- yet another computer program- will not allow the transfer of programs within IBM's system, Gobe said. This article taken from: The Courier News Bridgewater N.J. Jan 22 1988 ------------------------------------------------------------------------------ ------------------------------------------------------------------------------ Not to be out done, The Hyper drive has been invaded by a virus! Seems like a program called FLUSHOT2.ARC was uploaded to the system which almost had a very bad out come. Luckily this problem was caught in time. If you downloaded this file, destroy it. It will do no harm till you try to format a disk. It will then start to do its thing. I DO NOT hold the uploader responsible for this file as he probably did not know what was going on. This is how these files work! If it sounds to good to be true, it just might be! To mantain the integrity of the system this file has been pulled off the list of downloadable files. Again, If anyone has this file, rid them selves of it before it gets to you. SYSOP -------------------------------------------------------------------------------- ------------------------------------------------------------------------------- /-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\ | From: David A. Bader, Studentis Maximus | | | | DAB3@LEHIGH SloNet: 1402 Lorain Avenue | | ZDABADE@VAX1.CC.LEHIGH.EDU Bethlehem, Pa. 18018 | | HACK!DAB@SCARECROW.CSEE.LEHIGH.EDU | | | | SchoolNet: Box 914, -On a mostly harmless | | Lehigh University, blue green planet... | | Bethlehem, Pa. 18015 -And loving it! | \________________________________________________________________________/ ========================================================================= Date: Fri, 26 Aug 88 18:22:00 EST Reply-To: Virus Discussion List Sender: Virus Discussion List From: ZDABADE@VAX1.CC.LEHIGH.EDU Subject: PKTROJAN Notice Here is another interesting tidbit that I found: TROJAN WARNING To all callers who might have downloaded PKPATCH.arc here or from any other BBS .... Some users have found problems with hard disk crashes after/during use of the patch. Read the following, and check your file. I would (conservatively) not use either patch, and heed Phil's warning on the use of PKARC on large binary files ........ ----------------------------------------------------------------------------- The following is a message from Phil Katz author of PKX35A35 regarding a users questioning of a patch for same that has been circulating around the boards... ------------------------------------------------------------------------------ DO NOT RUN THAT PATCH THAT YOU UPLOADED!!! It is *definetly* a trojan! It is a copy of an actual article posted by me on USENET, with one line different. That line is the patch for PKXARC.COM. This has obviously intentionally been done as a very sick joke. The debug patch that you uploaded will write to direct sectors as you figured, and from what I can tell, will wipe out the FAT or Master Boot Record for drive C:. BAD NEWS! The PKXARC patch that I posted should be as follows: debug pkxarc.com e 1d0b 8b 3e c8 f4 80 3e d0 f5 0c 75 06 e8 a9 06 eb 1a 90 aa w q What was in the file you uploaded was: debug pkxarc.com e 1d0b b8 02 00 b9 ff 00 ba 00 00 cd 26 90 e9 fa ff 1a 90 aa w q As you can see, what you uploaded was quite different than what I originally posted. Please inform the sysop of ANY system where you see that file to check it, delete it if necessary and inform users... ------------------------------------------------------------------------------ The following is a message from Phil Katz author of PKX35A35 regarding a TROJAN PKXARC that has been circulating around the boards... ------------------------------------------------------------------------------ From: PHIL KATZ To: ALL Subj: TROJAN PKXARC c: ARC+ZOO+ #1002 12-27-87 23:16 (Read 0 times) f: PHIL KATZ (REBEL LEADER) t: ALL s: TROJAN ALERT cc: SYSOP 12/27/87 There have recently been several trojan/hacked/pirated versions of PKARC/PKXARC showing up. The most vicious of the bunch is called NEWARKR.EXE. This is a (PKSFX) self- extracting file, but contains no DOCS. The programs PKXARC, PKARC, and PKSFX have been renamed to XARKR, ARKR, and RKSFX respectively. The PKWARE copyright has been removed from these programs, along with PKWARE's address and all references to ShareWare. The Copyright notice has been replaced with the phrase "Public Domain Software". These programs have been modified in other means too, and their reliability is unknown. Equally malicious, there has been a trojan patch for PKXARC that has been cirulated. It is a copy of a valid message from me posted on USENET, except the patch given in the message has been changed to write directly to the FAT and wipe out disk C. There have been also various files circulated claiming to be PKARC/PKXARC versions 3.6 and 5.3. These are all hacked or pirated. The perpetrators of these hacks are guilty of Copyright infringement, theft, libel with malice, or other applicable crimes. PKWARE Inc. will seek to prosecute these individuals to the fullest extent of the law. If you see any file claiming to be a new version of PKARC/PKXARC or a patch to those programs, and are unsure of their origin, please check the following BBS's for the authentic files: PKWARE BBS 414-352-7176 EXEC-PC 414-964-5160 RBBS OF CHICAGO 312-352-1035 SOUND OF MUSIC 516-536-8723 If you do encounter any hacked or pirated files, please inform the SYSOP of the system with these files to delete them immediately. Please also inform PKWARE inc. of these files, their origin, and all other information that you have available. We can be reached at either any of the above BBS numbers, or 414-352-3670 voice. Only with your help can these very sick individuals be prevented from causing harm to unsuspecting victims of these hacked and pirated programs. >Phil Katz> --------------------------------------------------------------------------- /-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\ | From: David A. Bader, Studentis Maximus | | | | DAB3@LEHIGH SloNet: 1402 Lorain Avenue | | ZDABADE@VAX1.CC.LEHIGH.EDU Bethlehem, Pa. 18018 | | HACK!DAB@SCARECROW.CSEE.LEHIGH.EDU | | | | SchoolNet: Box 914, -On a mostly harmless | | Lehigh University, blue green planet... | | Bethlehem, Pa. 18015 -And loving it! | \________________________________________________________________________/ ========================================================================= Date: Sat, 27 Aug 88 01:54:20 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Amanda B Rosen Subject: New Mac Virus (INIT 6, 'LoadAT') may not be a virus It's been a long while since I used MacServe, but I am positive that the 'LoadAT' INIT 6 described in the recent article about a supposed Mac Virus is actually part of MacServe. I can't explain the invisible files, but I'm sure that all sorts of odd things will happen if you try to run MacServe without one of its inits. Creating invisible and oddly named files is a possibility. I also seem to remember something about a file named something- or-other evill, but I can't remember what it was. It was not, I think, a virus. If the person from that english college is not on this list, would the person who cross-posted the original article please forward this response to him? Thanks. /a ========================================================================= Date: Sat, 27 Aug 88 10:41:00 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: WHMurray@DOCKMASTER.ARPA Subject: RE: Controlled Study of Viruses In-Reply-To: Message of 24 Aug 88 02:42 EDT from "ZDABADE%VAX1.CC.LEHIGH.EDU at CUNYVM.CUNY.EDU" >can you see the situation that would arise if someone else out there also >got a copy of the viruses "to study" but instead had other plans for them! >As it stands, sending you viruses HAS to be a weak link in security because >I doubt that most of the places sending to you have even met you in person. >David > From: David A. Bader, Studentis Maximus Hear! Hear! Without regard to the motive, there is more than enough traffic in viruses without forwarding them knowingly. If you see one, sterilize it; if you cannot sterilize it, kill it. Under no circumstances should you give one to anyone else. Sterilized viruses can still carry all of the information required by serious academics. William Hugh Murray, Fellow, Information System Security, Ernst & Whinney 2000 National City Center Cleveland, Ohio 44114 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840 ========================================================================= Date: Sat, 27 Aug 88 10:52:00 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: WHMurray@DOCKMASTER.ARPA Subject: Re: Controlled Study of Viruses In-Reply-To: Message of 23 Aug 88 19:58 EDT from "Loren K Keim -- Lehigh University" Loren Keim writes: >I debated whether to send this directly to David or to >the entire list, and I feel that the list should know >that we NEVER compromise on security. With all due respect for his motives and intentions, if twenty years in security has taught me nothing else, it has taught me that everyone compromises security. It is the nature of things. Security is by definition a compromise. It cannot be otherwise. I am much more confident in the security efforts of people that understand this, than with those of people who tell me that they "NEVER" compromise. EVERYBODY compromises (even I). William Hugh Murray, Fellow, Information System Security, Ernst & Whinney 2000 National City Center Cleveland, Ohio 44114 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840 ========================================================================= Date: Sat, 27 Aug 88 13:26:26 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: David.Slonosky@QUEENSU.CA Subject: Re: The First Virus In-Reply-To: >...Of course that is absurd on its face since "The Adolescence of P1" was >published in the early 70's. It described "trapdoors," "Trojan Horses," >and viruses in excruciating and withering detail. These were the >"kernel of truth" on which the author hung his fantasy. > >Merle Miller quotes Harry Truman: "The only thing new in the world is >the history you don't know." What exactly is "The Adolescence of P1"? Fact or fiction? David Slonosky/QueensU/CA,"",CA | Know thyself? | | If I knew myself, I'd run away. | ========================================================================= Date: Sat, 27 Aug 88 12:22:30 PDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Robert Slade Subject: PERFECT virus? Recently there has been specualtion of a "targetted" virus that may be aimed at Word Pefect 5.0. My brothers office has recently upgraded to 5.0 and seems to have coincidentally been hit with a virus. An extra, and as yet unidentified hidden file seems to have appeared on the hard disk and many floppies. (This is in addition to the two MS-DOS system files and one partitioning the hard disk.) Word perfect files are being steadily corrupted, as well as some others. Any info relating to this is, of course, appreciated. I will post further details as they become available. ========================================================================= Date: Sat, 27 Aug 88 20:03:00 EST Reply-To: Virus Discussion List Sender: Virus Discussion List From: Dimitri Vulis Subject: The Adolescence of P1 The Adolescence of P1 is a novel by Thomas J. Ryan, highly recommended. From technical point of view, the virus part is quite realistic (undoubtfully influenced by the viri extant on Arpanet even when the book was writtem); the AI part is pure SciFi. If you've never read it, you definitely should. -DV ========================================================================= Date: Sun, 28 Aug 88 19:04:29 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: David.Slonosky@QUEENSU.CA Subject: Virus Law I have a hypothetical legal question. Suppose User A has the perfect program on a disk, a easily used and fast DOS shell/notepad/modem program/ data base/word processor/spreadsheet/coffee maker... Unknowst to user A, a virus has become embedded in the boot track of his/her copy of the disk. User B, desirous of obtaining user A's program, copies files from this disk and begins using it. 2 weeks later, B's hard drive is trashed, along with valuable information. Questions: 1) Is A legally to blame? 2) How does A prove his/her innocence in the matter if it is known that A is a capable assembly language programmer? 3) Does this scenario change if A is a large software manufacturer? If B is a large corporation who receives infected files from another corporation and has an entire set of confidential data corrupted? 4) Are BBS SYSOPS responsible for any malicous software which is downloaded from their boards? I just thought of these in the shower last night. I don't know how many CPU lawyers there are out there, but I hope that these are relevant questions. David Slonosky/QueensU/CA,"",CA | Know thyself? | | If I knew myself, I'd run away. | ========================================================================= Date: Sun, 28 Aug 88 21:35:21 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Loren K Keim -- Lehigh University Subject: Who's SAFE? Well, I've had quite a few questions (alright, I've had a truckload of questions) on who can receive viruses, who is alright to have copies, etc etc etc. I can't tell you precisely who may or may not receive anything, unfortunately. Generally its played by ear. There are several groups and institutions dedicated to computer security which are recognized by the computing society to be reasonably safe. As William Murray pointed out sometime this weekend, in the study of security threats, we all end up compromising to some extent in order to observe something. Fred Cohen is a member of the Foundation for Computer Integrity Research, Joseph Beckman is an employee of the National Computer Security Center, the FBI has people investigating computer virus propogation, Maria Pozzo has worked on creation of B2 security systems and has studied Viruses under grants from IBM if memory serves, I am independent and have been called upon several times to work on security problems or virus containment. All of these people are relatively "safe". FoundationWare of Ohio claims that the only rightful holders of the Lehigh Virus include the federal government, Lehigh, and them (that is on memory, I believe I am correct in that statement). Yet I have run across several companies with copies of the program as well as several newsmen with copies (NEVER give viruses to newsmen!!!) I spoke at length to someone a while back who identified himself as working for the NSC. He told me that I could continue research on specific viruses if I had worked on them for some institution. He told me, however, that NO ONE was to get a copy of the Lehigh Virus (interesting puzzle). Joe Beckman: > As an employee of the National Computer Security Center, I must > point out that we do *NOT* attempt to track perpetrators for > prosecution or for *ANY* other reason! > We are not a law enforcement Agency, and are prohibited by law > to take any such action. Who is authorized to have viruses, I asked the man from the NSC. He said that it was very hard to say who may have what at what time. He said that the matter was a national security threat and that viruses should not be handled by any more people than those that are treating the problem, and even then it should be reported. He failed to tell me where I could report it. So who is authorized to handle viruses? Am I? Is William Murray? Is anyone? Does it matter what qualifications we have, or how many security problems we have solved in the past, or any work we may have done that was related to the problem? I really don't know. If I am asked to help with a viral problem or infection at some university, corportation, government office and so on, I will continue to appear, and I will continue to work on such problems and will continue to design security systems for companies and research facilities. If the FBI comes to me and wants complete information, I will give them everything I can; if someone designing a virus-fighting package comes to me, I probably will not. Its a question I can't easily answer. I've spoken at length with people before about particular viruses. I've gone over code with other people of some viruses and I've played with some viruses with others who have spent a great deal of time studying viruses and security threats. Loren ========================================================================= Date: Sun, 28 Aug 88 21:40:04 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Loren K Keim -- Lehigh University Subject: Virus Conference The Conference seems to be going well. I have a lot of letters to reply to on the subject, and haven't had time, so hold on and I'll get to them. Please try to submit your reservation to me as soon as possible for the conference so I can make sure we'll have enough people coming to cover expenses. Remember to send it to: Virus Conference c/o Loren Keim P.O. Box 2423 Lehigh Valley, Pa. 18001 Include your name, company/college name, position, and any information you might feel is pertinant. Thanks, Loren Keim ========================================================================= Date: Sun, 28 Aug 88 21:49:57 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Loren K Keim -- Lehigh University Subject: Computer Virus and Security Papers In accordance with so many requests for a list of virus articles, I'll write some down which were fairly good: Fred Cohen, "Computer Viruses", Proceedings of the 7th DOD/NBS Computer Security Conference, Sep 1984, p 240-263. K.J. Biba, "Integrity Considerations for Secure Computer Systems, MITRE Technical Report, MTR-3153, June 1975. M.M Pozzo "Managing Exposure to Potentially Malicious Programs", Proceedings of the 9th National Computer Security Conference, Sep 1986. M.M Pozzo "An Approach to Containing Computer Viruses", Computers and Security 6 (1987), p 321-331. Some people may also look for: A.D. Dewdney "Computer Recreations", Scientific American, May 1984, pp 14-22. (Corewars Game) D.E. Denning, "Cryptography and Data Security". Addison Wessley Pub, Reading Ma. 1982. Fred Cohen "Computer Viruses - Theories and Experiments", Computers and Security 6 (1987) pp. 22-35. D.E Bell and L.J. LaPadula "Secure Computer System: Unified Exposition and Multics Interpretation" MITRE Technical Report, MTR-2997, July 1975. Also, one that I haven't had any luck tracking down yet --- Shoch, J.F. and Hupp, J.A. "The Worm Programs" Communications of the ACM 25, 3 (March 1982) 172-180. If anyone sees this last one, can they please forward me a copy of it? Loren Keim ========================================================================= Date: Sun, 28 Aug 88 23:23:59 EDT Reply-To: Virus Discussion List Sender: Virus Discussion List From: Loren K Keim -- Lehigh University Subject: Conference Notes Sorry to keep cluttering up your mailboxes! To answer some questions, what I said about the conference a few hours ago probably didn't come out quite right. What I meant was that I have received approx 15 registrations for the conference. In addition, I have received over 60 e-mailed letters telling me that people are coming, but I haven't yet received any notes from them/checks from them. We have a total of almost 400 people who have either requested more information, or have stated that they have collegues, friends and associates who might like to attend. I am waiting till we receive a total of about 50 notes to the P.O. box before I send out information about Hotels and so on. Although I'm quite certain we'll have a large number of professionals show up for the conference, I'd like to make certain we are covered. So please don't wait to send in a note to me telling me that you are coming (I know, I'm slow at doing things as well), send something off to me as soon as possible. Looks like we have two panel discussions with a total of 7 people speaking set up so far. We're still trying to get hold of a few more people. We have a great bunch of people coming so far from a wide range of the computer communittee. Please join us. Loren Keim (For those who missed it twice before: PO Box 2423 Lehigh Valley Pa. 18001 ) X-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-X Another file downloaded from: The NIRVANAnet(tm) Seven & the Temple of the Screaming Electron Taipan Enigma 510/935-5845 Burn This Flag Zardoz 408/363-9766 realitycheck Poindexter Fortran 510/527-1662 Lies Unlimited Mick Freen 801/278-2699 The New Dork Sublime Biffnix 415/864-DORK The Shrine Rif Raf 206/794-6674 Planet Mirth Simon Jester 510/786-6560 "Raw Data for Raw Nerves" X-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-X